NGINX and Cookies are hijacking on clients on the same network(NAT)

Maxim Dounin mdounin at mdounin.ru
Mon Dec 26 19:27:45 UTC 2011


Hello!

On Mon, Dec 26, 2011 at 12:18:54PM -0500, joao_neto wrote:

> We are experiencing a problem after the adoption of nginx as a server
> (apache had before).
> 
> It turns out that we are seeing many cases of clients that access data
> from other users in the session. This is because the login system (PHP)
> are stored in cookies. These cookies are being "shared" in computers on
> the same corporate network.
> 
> We realize that this problem only happens for several customers who are
> on the same network - that is, have the same external IP shared via
> single access point(NAT).
> 
> We've tried to do much to avoid the problem by adding validations and
> hash on cookies, but eventually realized that our server simply can not
> store cookies properly, and for the same network multiple machines share
> the cookie, which must be just a browser .
> 
> We are not sure if the problem is in NGINX, but we suspect it before the
> migration of APACHE -> nginx does not have the problem.
> 
> Is there some setting that can be done to remedy this problem?

I suspect the problem isn't NAT, but instead corporate proxy with 
cache.  Symptoms described suggest that cookies are set without 
proper cache-control headers to prevent caching.

This may be either backend problem (i.e. you just don't add proper 
headers in php; usually this is handled by php automatically as 
described in [1], though may be improperly configured) or nginx 
configuration problem (it's easy to strip/change headers in nginx, and 
you could accidently do it).

[1] http://php.net/manual/en/function.session-cache-limiter.php

Maxim Dounin



More information about the nginx mailing list