Protect link with cookies?

Artifex Maximus artifexor at
Thu Jun 11 14:11:26 MSD 2009


On Wed, Jun 10, 2009 at 11:53 PM, merlin corey <merlincorey at>wrote:

> That is precisely the kind of control required to take place in an
> upstream application, not nginx.  Nginx should be thought of as sort
> of a signal processor, that is, it sits in a stream and does its
> business as quickly and efficiently as possible.  Waiting on databases
> is neither quick nor efficient.

First of all thanks for your answer Merlin!

I think it as an option so user have the choice using it or not. And in this
way user decides to put load on server or not. But in short there is no such

> Also there is nothing secure about cookies, which can be completely
> manipulated by the client.  Session data, on the other hand, is
> internal and therefore much more reliable (and is basically what you
> want to use).

I know it but not as easy as cheating on referrer. I do not look for writing
the perfect protection system actually but good enough for basic protection
and using as much of different techniques as possible but not more. And I do
not want to write any external code (PHP in my case) let's say I am lazy. If
I am able to store and retrieve used cookies and their deadline within nginx
the system would be pretty useful.

Is nginx have session data or some external processing required?


> On Wed, Jun 10, 2009 at 3:16 AM, Artifex Maximus<artifexor at>
> wrote:
> > Hello!
> >
> > On Tue, Jun 9, 2009 at 2:48 PM, Artifex Maximus<artifexor at>
> wrote:
> >> 2009/6/9 Igor Sysoev <is at>:
> >>> On Tue, Jun 09, 2009 at 01:30:50PM +0200, Artifex Maximus wrote:
> >>>
> >>>> I am pretty newbie to nginx and having problem on protecting my links.
> >>>> I am using valid_referers but is it possible using cookies for make it
> >>>> stronger?
> >>>>
> >>>> For example I set cookie uid with nginx's userid in 'location / {}'
> >>>> and check somehow under 'location /download/ {}' for cookie uid. Is it
> >>>> possible or just a dream? Userid was just an idea and not necessary.
> >>>> And any other ideas are welcome as well because cheating referer is
> >>>> easy task.
> >>>
> >>>    location /download/ {
> >>>        if ($cooke_NAME = '') {
> >>>            return 403;
> >>>        }
> >>>    }
> >>
> >> Looks nice. Thank you Igor!
> >
> > And working perfectly though. Is there any simple solution (without
> > PHP or any external utility) to tracking this cookies? I mean storing
> > cookies in database and checking that cookie have sent is valid or
> > not. Or is it too complex and not nginx task?
> >
> > Bye,
> > Zsolt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list