nginx cache seems to swallow Set-Cookie
Maxim Dounin
mdounin at mdounin.ru
Thu Sep 2 17:16:38 MSD 2010
Hello!
On Thu, Sep 02, 2010 at 09:02:15AM -0400, pertl wrote:
> I run nginx 0.7.67 as a frontend proxy and cache for my Java application
> running on jetty 7 using proxy_pass and proxy_cache.
>
> nginx runs on port 80, the java app on 8080.
>
> The very first thing the java application does when I call it in the
> browser ( http://localhost ) is create a new http session and send a 302
> redirect to the login page. The response contains a new "Set-Cookie:
> JSESSIONID=65omgcih3oif15g2yc1szsos;Path=/" with some new random session
> ID. The 302 also contains a "Cache: no-cache" so the 302 temporary
> redirect never gets cached which is what we want.
>
> Now what I experience is that nginx returns the java app server response
> with all but the "Set-Cookie". It's definitely there and nginx
> definitely removes it.
>
> This is a real pain and will break my app (and possible others).
>
> So is there such a thing like a "cookie-stripper-during-http-status-302"
> ?
In 0.7.67 nginx strips Set-Cookie headers by default on all
responses served with proxy_cache switched on. You may change
this with proxy_pass_header directive (note that this will cause
*cached* responses to return Set-Cookie header as well, you have
to make sure your backend doesn't return personal cookies on
cacheable responses).
Note that in 0.8.44 behaviour was changed to something considered
more natural. As of 0.8.44 nginx no longer caches responses with
Set-Cookie header and doesn't strip this header with cache turned
on (unless you instruct it to do so with proxy_hide_header and
proxy_ignore_headers).
Maxim Dounin
More information about the nginx
mailing list