Protect link with cookies?

Artifex Maximus artifexor at gmail.com
Fri Jun 12 13:33:10 MSD 2009


Hello!
Thanks, I see. Because I do not have time for develop in C, PHP, Perl, etc
everything is remain as is.

Bye,
Zsolt

2009/6/11 merlin corey <merlincorey at dc949.org>

> NginX does not provide any kind of internal API for session data or
> anything of that sort...  You could do what you want with embedded
> perl, probably, if you really want to keep it in NginX, otherwise
> you're back to using $cookie_name variables (which is probably the
> easiest/fastest solution) or you will want to write a module for NginX
> itself.
>
> -- Merlin
>
> On Thu, Jun 11, 2009 at 3:11 AM, Artifex Maximus<artifexor at gmail.com>
> wrote:
> > Hello!
> >
> > On Wed, Jun 10, 2009 at 11:53 PM, merlin corey <merlincorey at dc949.org>
> > wrote:
> >>
> >> That is precisely the kind of control required to take place in an
> >> upstream application, not nginx.  Nginx should be thought of as sort
> >> of a signal processor, that is, it sits in a stream and does its
> >> business as quickly and efficiently as possible.  Waiting on databases
> >> is neither quick nor efficient.
> >
> > First of all thanks for your answer Merlin!
> > I think it as an option so user have the choice using it or not. And in
> this
> > way user decides to put load on server or not. But in short there is no
> such
> > option.
> >
> >>
> >> Also there is nothing secure about cookies, which can be completely
> >> manipulated by the client.  Session data, on the other hand, is
> >> internal and therefore much more reliable (and is basically what you
> >> want to use).
> >
> > I know it but not as easy as cheating on referrer. I do not look for
> writing
> > the perfect protection system actually but good enough for basic
> protection
> > and using as much of different techniques as possible but not more. And I
> do
> > not want to write any external code (PHP in my case) let's say I am lazy.
> If
> > I am able to store and retrieve used cookies and their deadline within
> nginx
> > the system would be pretty useful.
> > Is nginx have session data or some external processing required?
> > Bye,
> > Zsolt
> >
> >>
> >> On Wed, Jun 10, 2009 at 3:16 AM, Artifex Maximus<artifexor at gmail.com>
> >> wrote:
> >> > Hello!
> >> >
> >> > On Tue, Jun 9, 2009 at 2:48 PM, Artifex Maximus<artifexor at gmail.com>
> >> > wrote:
> >> >> 2009/6/9 Igor Sysoev <is at rambler-co.ru>:
> >> >>> On Tue, Jun 09, 2009 at 01:30:50PM +0200, Artifex Maximus wrote:
> >> >>>
> >> >>>> I am pretty newbie to nginx and having problem on protecting my
> >> >>>> links.
> >> >>>> I am using valid_referers but is it possible using cookies for make
> >> >>>> it
> >> >>>> stronger?
> >> >>>>
> >> >>>> For example I set cookie uid with nginx's userid in 'location / {}'
> >> >>>> and check somehow under 'location /download/ {}' for cookie uid. Is
> >> >>>> it
> >> >>>> possible or just a dream? Userid was just an idea and not
> necessary.
> >> >>>> And any other ideas are welcome as well because cheating referer is
> >> >>>> easy task.
> >> >>>
> >> >>>    location /download/ {
> >> >>>        if ($cooke_NAME = '') {
> >> >>>            return 403;
> >> >>>        }
> >> >>>    }
> >> >>
> >> >> Looks nice. Thank you Igor!
> >> >
> >> > And working perfectly though. Is there any simple solution (without
> >> > PHP or any external utility) to tracking this cookies? I mean storing
> >> > cookies in database and checking that cookie have sent is valid or
> >> > not. Or is it too complex and not nginx task?
> >> >
> >> > Bye,
> >> > Zsolt
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20090612/57afbe09/attachment.html>


More information about the nginx mailing list