NGINX and Cookies are hijacking on clients on the same network(NAT)
Maxim Dounin
mdounin at mdounin.ru
Mon Dec 26 19:27:45 UTC 2011
Hello!
On Mon, Dec 26, 2011 at 12:18:54PM -0500, joao_neto wrote:
> We are experiencing a problem after the adoption of nginx as a server
> (apache had before).
>
> It turns out that we are seeing many cases of clients that access data
> from other users in the session. This is because the login system (PHP)
> are stored in cookies. These cookies are being "shared" in computers on
> the same corporate network.
>
> We realize that this problem only happens for several customers who are
> on the same network - that is, have the same external IP shared via
> single access point(NAT).
>
> We've tried to do much to avoid the problem by adding validations and
> hash on cookies, but eventually realized that our server simply can not
> store cookies properly, and for the same network multiple machines share
> the cookie, which must be just a browser .
>
> We are not sure if the problem is in NGINX, but we suspect it before the
> migration of APACHE -> nginx does not have the problem.
>
> Is there some setting that can be done to remedy this problem?
I suspect the problem isn't NAT, but instead corporate proxy with
cache. Symptoms described suggest that cookies are set without
proper cache-control headers to prevent caching.
This may be either backend problem (i.e. you just don't add proper
headers in php; usually this is handled by php automatically as
described in [1], though may be improperly configured) or nginx
configuration problem (it's easy to strip/change headers in nginx, and
you could accidently do it).
[1] http://php.net/manual/en/function.session-cache-limiter.php
Maxim Dounin
More information about the nginx
mailing list