NGINX and Cookies are hijacking on clients on the same network(NAT)

joao_neto nginx-forum at nginx.us
Mon Dec 26 17:18:54 UTC 2011


We are experiencing a problem after the adoption of nginx as a server
(apache had before).

It turns out that we are seeing many cases of clients that access data
from other users in the session. This is because the login system (PHP)
are stored in cookies. These cookies are being "shared" in computers on
the same corporate network.

We realize that this problem only happens for several customers who are
on the same network - that is, have the same external IP shared via
single access point(NAT).

We've tried to do much to avoid the problem by adding validations and
hash on cookies, but eventually realized that our server simply can not
store cookies properly, and for the same network multiple machines share
the cookie, which must be just a browser .

We are not sure if the problem is in NGINX, but we suspect it before the
migration of APACHE -> nginx does not have the problem.

Is there some setting that can be done to remedy this problem?

Thanks for the help!

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,220498,220498#msg-220498



More information about the nginx mailing list