I have a http-only and secure (ssl) cookie, and I want nginx to check
whether this cookie exists in a request, if not, reject it by serving a
404
page. This is just a preliminary check, so I don't care about the actual
value in the cookie.
So far I've tried this: if ($http_cookie !~* "cookie_name=[.]+") {
return
404; } in a location directive, but despite the cookie is contained in
the
requests, 404 is returned. What should be corrected here? Thanks!
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,236394,236394#msg-236394
on 2013-02-20 23:11
on 2013-02-20 23:22
On Wed, Feb 20, 2013 at 05:10:26PM -0500, mrtn wrote: > I have a http-only and secure (ssl) cookie, and I want nginx to check > whether this cookie exists in a request, if not, reject it by serving a 404 > page. This is just a preliminary check, so I don't care about the actual > value in the cookie. > > So far I've tried this: if ($http_cookie !~* "cookie_name=[.]+") { return > 404; } in a location directive, but despite the cookie is contained in the > requests, 404 is returned. What should be corrected here? Thanks! Does it pass if the cookie value starts with a dot? Every character in the regex means something. "." probably doesn't mean what you think it means here. Omit the [] and it might work for you. Or you could just test $cookie_cookie_name directly -- does it equal the empty string? If not, it has a value. (This doesn't actually check for http-only or secure, but you probably know that already.) f -- Francis Daly francis@daoine.org
on 2013-02-21 14:28
i see. since you mentioned it, is there any way to check for http-only and secure properties of a cookie using nginx? In other words, combined with the original question above, i want to check if a given a cookie is present and it is http-only and secure, otherwise, reject the request with a 404. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,236394,236423#msg-236423
on 2013-02-21 14:41
On Thursday 21 February 2013 17:27:58 mrtn wrote: > i see. since you mentioned it, is there any way to check for http-only and > secure properties of a cookie using nginx? There are no such properties in the Cookie request header. wbr, Valentin V. Bartenev -- http://nginx.com/support.html http://nginx.org/en/donation.html
on 2013-03-11 22:54
http-only and secure are directives intended for browser. If the browser doesn't detect HTTP proto for http-only setting and SSL for secure setting then browser will drop the cookie and will never make it to the web server. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,236394,237245#msg-237245
on 2013-03-12 08:01
On Tuesday 12 March 2013 01:54:01 kalpesh.patel@glgroup.com wrote: > http-only and secure are directives intended for browser. If the browser > doesn't detect HTTP proto for http-only setting and SSL for secure setting > then browser will drop the cookie and will never make it to the web server. > Thank you, I know what "HttpOnly" and "Secure" are. But, please, note that these attributes are sent via Set-Cookie header from a web-server *response*, while the question was: > to check if a given a cookie is present and it is http-only and secure, > otherwise, reject the request with a 404". There's no way since they do not present in requests. wbr, Valentin V. Bartenev -- http://nginx.org/en/donation.html
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.