secure and httponly cookies
Krishna Kumar K K
krishna at Brocade.com
Tue Mar 8 00:38:48 UTC 2016
I am able to modify the set-cookie header from the server to flag it secure. I am trying to do the same in the request header as well.
From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of Francis Daly
Sent: Monday, March 07, 2016 2:57 PM
To: nginx at nginx.org
Subject: Re: secure and httponly cookies
On Mon, Mar 07, 2016 at 09:50:00PM +0000, Krishna Kumar K K wrote:
> I have tried exactly the same as in this page:-
> proxy_cookie_path / "/; secure; HttpOnly";
> it sets the flags on the cookie in the response header, but when I refresh the page, it is sending the cookies in the requests header without these flags, it just resets it.
That sounds like it is doing exactly what it should, no?
Flags are sent by the server in Set-Cookie response headers. Cookies are sent by the client (or not) in Cookie request headers.
What behaviour do you want that you are not seeing?
Francis Daly francis at daoine.org
nginx mailing list
nginx at nginx.org
More information about the nginx