set_encrypt_session after access phase?

Vader Mader vader8765 at
Fri Jun 19 14:20:43 UTC 2015

On Thu, Jun 18, 2015 at 11:29 AM, Vader Mader <vader8765 at> wrote:
> I'm having trouble setting a cookie conditionally based upon
> an upstream variable The hope is to cache an auth token in an
> encrypted session and only go to the backend auth token generator once.

I managed to figure out how to use map to set the cookie:

    map $new_auth_tok $cond_cookie_k {
        ''         '';
        default    "my_login=";

    map $new_auth_tok $cond_cookie_v {
        ''         '';
        default    $b32_session;

    add_header Set-Cookie $cond_cookie_k$cond_cookie_v;

However, my problem is that set_encrypt_session actually runs in the
rewrite phase before my authentication back end like this:

    location / {
        root   /var/www;
        index  index.html index.htm;

        set_encrypt_session $enc_auth_tok $new_auth_tok;
        set_encode_base32 $b32 $enc_auth_tok;

        auth_request /auth;
        auth_request_set $new_auth_tok $upstream_http_auth_tok;

        add_header Set-Cookie $cond_cookie_k$cond_cookie_v;

Is there any way to encrypt after the access phase?

More information about the nginx mailing list