Hide a request cookie in proxy_pass
jwal
nginx-forum at forum.nginx.org
Mon Nov 14 23:14:43 UTC 2016
Hi,
Thanks for this; it is pretty close to what I need. I just tried it out in
the regex101.com editor and I think there might be a vulnerability:
https://regex101.com/delete/ypHV2Yw6o3wHqGDQTHRPZw3r
The client could include the same cookie name in twice. This regexp would
only strip out one of them. If the client sets a Javascript cookie with the
same name as the HttpOnly cookie you are trying to protect then they might
end up getting the secret cookie passed through to the origin server. Not
sure if you can contrive a practical attack from this observation.
I have not yet found a general solution. In my case I am using the
auth_request directive of Nginx so the auth_request service (a Python
script) can provide the value of the onward Cookie header.
Regards,
James
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,252944,270941#msg-270941
More information about the nginx
mailing list