nginx cache seems to swallow Set-Cookie

Maxim Dounin mdounin at mdounin.ru
Thu Sep 2 17:16:38 MSD 2010


Hello!

On Thu, Sep 02, 2010 at 09:02:15AM -0400, pertl wrote:

> I run nginx 0.7.67 as a frontend proxy and cache for my Java application
> running on jetty 7 using proxy_pass and proxy_cache.
> 
> nginx runs on port 80, the java app on 8080.
> 
> The very first thing the java application does when I call it in the
> browser ( http://localhost ) is create a new http session and send a 302
> redirect to the login page. The response contains a new "Set-Cookie:
> JSESSIONID=65omgcih3oif15g2yc1szsos;Path=/" with some new random session
> ID. The 302 also contains a "Cache: no-cache" so the 302 temporary
> redirect never gets cached which is what we want.
> 
> Now what I experience is that nginx returns the java app server response
> with all but the "Set-Cookie". It's definitely there and nginx
> definitely removes it.
> 
> This is a real pain and will break my app (and possible others).
> 
> So is there such a thing like a "cookie-stripper-during-http-status-302"
> ?

In 0.7.67 nginx strips Set-Cookie headers by default on all 
responses served with proxy_cache switched on.  You may change 
this with proxy_pass_header directive (note that this will cause 
*cached* responses to return Set-Cookie header as well, you have 
to make sure your backend doesn't return personal cookies on 
cacheable responses).

Note that in 0.8.44 behaviour was changed to something considered 
more natural.  As of 0.8.44 nginx no longer caches responses with 
Set-Cookie header and doesn't strip this header with cache turned 
on (unless you instruct it to do so with proxy_hide_header and 
proxy_ignore_headers).

Maxim Dounin



More information about the nginx mailing list