Hide a request cookie in proxy_pass

jwal nginx-forum at forum.nginx.org
Mon Nov 14 23:14:43 UTC 2016


Thanks for this; it is pretty close to what I need. I just tried it out in
the regex101.com editor and I think there might be a vulnerability:

The client could include the same cookie name in twice. This regexp would
only strip out one of them. If the client sets a Javascript cookie with the
same name as the HttpOnly cookie you are trying to protect then they might
end up getting the secret cookie passed through to the origin server. Not
sure if you can contrive a practical attack from this observation.

I have not yet found a general solution. In my case I am using the
auth_request directive of Nginx so the auth_request service (a Python
script) can provide the value of the onward Cookie header.



Posted at Nginx Forum: https://forum.nginx.org/read.php?2,252944,270941#msg-270941

More information about the nginx mailing list