Redirect based on php-set cookies

tqvn2004 nginx-forum at
Thu Feb 10 15:42:39 MSK 2011

[b]To use the new version of secret_cookie module[/b]

In the nginx's config, you can use the following directives:

+ secret_cookie [on/off] : Turn on or turn off the module functionality

Note: If the module is turned off, all cookie check will return true.

+ secret_cookie_def on/off name=NAME rule=RULE duration=DURATION
salt=SALT ua_limit=UA_LIMIT log=on/off

This directive define one secret_cookie check (you can define more than
one as required). You can set individual secret_cookie check to on or
off separately. Other settings are:

- NAME: Name of the cookie of interest.

- RULE: If a cookie with such a name existed in HTTP header,
secret_cookie module will check it again this rule. The rule is: t =
time to live, s=salt value, u=user agent, a=remote IP address. For
example, rule=usat will check if the content of the cookie of interest
is the sha value of user agent + salt value + remote IP address + time
to live. You can repeat the rule if required (for example, rule=susast
will add salt repeatedly for several place)

- DURATION: The time for the cookie to live. If the cookie is valid for
1 hour, then duration=3600. The duration check  is only meaningful if
rule contains "time to live".

- SALT: A random string to increase the secure of secret cookie. Only
meaningful if the rule contains salt.

- UA_LIMIT: Sometime the user agent can be very long, which will cause
problem for secret_cookie check (more processing time, more memory etc).
You can limit the check to only first few byte of the user agent. For
example, ua_limit=25 means checking only first 25 bytes. 

- log=on/off: Turn on or off the logging of secret_cookie checking.

One example config with secret_cookie module enable:

# Turn secret_cookie module on
secret_cookie      on;
# Duration: 1 day = 86400, 2 day = 172800, 3 day = 259200, 1 weeks =
# Define AntiDoS cookie
secret_cookie_def  on  name=AntiDoS rule=sutas duration=86400
salt=2j3ns3a ua_limit=10 log=off;
# Define RestrictedArea cooke
secret_cookie_def  on  name=RestrictedArea rule=tsau duration=7200 
salt=3nh3323 us_limit=20 log=on;

# If AntiDoS cookie is not set, redirect to verification page
if ($secret_cookie_value !~ (AntiDoS)) {
     rewrite ^(.*)$ /verification/index.php;

location ~* /verification/.*\.php$ {
   # This is the verification location, where you should setup a php
captcha for user/bot identification.
   # If captcha is valid, assign user an AntiDoS cookie which match the
above rule.

# These are protected areas, only Admin can enter
location ~* ^/(admin|forum/admincp)/ {
    # If RestrictedArea cookie is not set, then redirect to admin
verification page
    if ($secret_cookie_value !~ (RestrictedArea)){
         rewrite ^(.*)$ /admin_verification/index.php last;

location ~* /admin_verification/.*\.php$ {
   # Again, this is verification location, where you should setup a php
captcha for admin identification.
   # If captcha is valid, assign admin an RestrictedArea cookie which
match the above rule.


Posted at Nginx Forum:,55378,173804#msg-173804

More information about the nginx mailing list