I am able to modify the set-cookie header from the server to flag it secure. I am trying to do the same in the request header as well.

-----Original Message-----
From: nginx [mailto:nginx-bounces@nginx.org] On Behalf Of Francis Daly
Sent: Monday, March 07, 2016 2:57 PM
To: nginx@nginx.org
Subject: Re: secure and httponly cookies

On Mon, Mar 07, 2016 at 09:50:00PM +0000, Krishna Kumar K K wrote:

Hi there,

> I have tried exactly the same as in this page:-
>
> proxy_cookie_path / "/; secure; HttpOnly";
>
> it sets the flags on the cookie in the response header, but when I refresh the page, it is sending the cookies in the requests header without these flags, it just resets it.

That sounds like it is doing exactly what it should, no?

Flags are sent by the server in Set-Cookie response headers. Cookies are sent by the client (or not) in Cookie request headers.

What behaviour do you want that you are not seeing?

f
--
Francis Daly francis@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=CwICAg&c=IL_XqQWOjubgfqINi2jTzg&r=PZ7-DbptEeW_9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=qqv8VRtGpRns7L0SDrt1t6zKEagc2ZGMgkx7L4rLIMY&s=KQ19DpL_IThnal0du_vPQ-KtWlThbMiKK2gnyg0s2Vs&e=

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx