How to check the existence of a http-only secure cookie

Francis Daly francis at
Wed Feb 20 22:22:18 UTC 2013

On Wed, Feb 20, 2013 at 05:10:26PM -0500, mrtn wrote:
> I have a http-only and secure (ssl) cookie, and I want nginx to check
> whether this cookie exists in a request, if not, reject it by serving a 404
> page. This is just a preliminary check, so I don't care about the actual
> value in the cookie.
> So far I've tried this: if ($http_cookie !~* "cookie_name=[.]+") { return
> 404; } in a location directive, but despite the cookie is contained in the
> requests, 404 is returned. What should be corrected here? Thanks!

Does it pass if the cookie value starts with a dot?

Every character in the regex means something. "." probably doesn't mean
what you think it means here.

Omit the [] and it might work for you. Or you could just test
$cookie_cookie_name directly -- does it equal the empty string? If not,
it has a value.

(This doesn't actually check for http-only or secure, but you probably
know that already.)

Francis Daly        francis at

More information about the nginx mailing list