how to clear a cookie value in request object

Maxim Dounin mdounin at mdounin.ru
Fri Nov 1 23:41:26 UTC 2013 

Hello!

On Fri, Nov 01, 2013 at 09:41:20AM -0700, Michael Ellery wrote:

> devs,
> 
> I'm looking for advice about how to properly clear a cookie value from the current request so that it will be omitted
> from the request when it goes upstream (to proxy). Here's the code I currently have:
> 
>         static ngx_str_t my_cookie_name = ngx_string("MyMagicCookieName");
> 
> 
>         ngx_uint_t         i;
>         ngx_table_elt_t  **h;
>         ngx_str_t  null_header_value = ngx_null_string;
>         h = r->headers_in.cookies.elts;
>         for (i = 0; i < r->headers_in.cookies.nelts; i++) {
>             if (h[i]->value.len > my_cookie_name.len &&
>                 0 == ngx_strncmp(h[i]->value.data, my_cookie_name.data, my_cookie_name.len))
>             {
>                 h[i]->value = null_header_value;
>                 break;
>             }
>         }
> 
> 
> my main concern is leaking memory -- will the nulling of this value cause memory to be leaked? If so, how can I fix this?
> 
> A secondary concern is that I believe value can actually contain a list of comma separated of cookie name/vals, although
> I've not actually encountered that problem so far. What would be the right way to wipe out only PART of the value data,
> if that's indeed what I need to do?

There are at least two problems with the above code:

- It tries to modify r->headers_in, which is wrong.  The 
  r->headers_in contains headers as received from a client, and 
  they are not expected to be modified.  Modifications will likely
  result in undefined behaviour.

- As you correctly assume, there can be more than one cookie in a 
  single Cookie header (and usually there are - as long as there 
  are more than one cookie used for a domain).

Proper solution would be to provide a new value for the Cookie 
header in a variable (taking into account multiple cookies in a 
single header), and then use

    proxy_set_header Cookie $your_new_cookie_value;

in configuration, much like with the $proxy_add_x_forwarded_for 
variable as available for X-Forwarded-For header modification.

-- 
Maxim Dounin
http://nginx.org/en/donation.html

More information about the nginx-devel mailing list