Welcome! Log In Create A New Profile

Advanced

Re: Hide a request cookie in proxy_pass

November 14, 2016 06:14PM
Hi,

Thanks for this; it is pretty close to what I need. I just tried it out in the regex101.com editor and I think there might be a vulnerability: https://regex101.com/delete/ypHV2Yw6o3wHqGDQTHRPZw3r

The client could include the same cookie name in twice. This regexp would only strip out one of them. If the client sets a Javascript cookie with the same name as the HttpOnly cookie you are trying to protect then they might end up getting the secret cookie passed through to the origin server. Not sure if you can contrive a practical attack from this observation.

I have not yet found a general solution. In my case I am using the auth_request directive of Nginx so the auth_request service (a Python script) can provide the value of the onward Cookie header.

Regards,

James
Subject Author Posted

Hide a request cookie in proxy_pass

gthb August 29, 2014 11:55AM

Re: Hide a request cookie in proxy_pass

Maxim Dounin August 29, 2014 01:28PM

Re: Hide a request cookie in proxy_pass

gthb September 02, 2014 06:16AM

Re: Hide a request cookie in proxy_pass

jwal November 14, 2016 06:14PM

Re: Hide a request cookie in proxy_pass

jwal November 14, 2016 06:16PM

Re: Hide a request cookie in proxy_pass

AntoUX November 29, 2017 11:49AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 84
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready