Hide a request cookie in proxy_pass
nginx-forum at forum.nginx.org
Mon Nov 14 23:14:43 UTC 2016
Thanks for this; it is pretty close to what I need. I just tried it out in
the regex101.com editor and I think there might be a vulnerability:
The client could include the same cookie name in twice. This regexp would
same name as the HttpOnly cookie you are trying to protect then they might
end up getting the secret cookie passed through to the origin server. Not
sure if you can contrive a practical attack from this observation.
I have not yet found a general solution. In my case I am using the
auth_request directive of Nginx so the auth_request service (a Python
script) can provide the value of the onward Cookie header.
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,252944,270941#msg-270941
More information about the nginx