Nginx accept set-cookie but hide it from the client?

nano nginx-forum at
Sun May 5 19:05:07 UTC 2013


I have a reverse proxy setup on a website and I'm proxying logged in pages.
Everything works except there is a vulnerability in my setup.

I login to the site and I can cache the pages. I share these pages with
everyone else.

However there is a problem with how the set-cookie is passed onto the user
when I just want nginx to keep it.

Is there a way to make nginx stay logged into the site, and hide the
set-cookie passed onto the client?

I've tried: proxy_hide_header Set-Cookie;

but that just logs out the session and can no longer access the protected
pages. When the set-cookie is passed onto the user they can save that cookie
and load it up into their browser and be able to login and "hack" the

Is there a way to keep nginx logged in, without exposing the set-cookie?

Posted at Nginx Forum:,238867,238867#msg-238867

More information about the nginx mailing list