How to check the existence of a http-only secure cookie

I have a http-only and secure (ssl) cookie, and I want nginx to check
whether this cookie exists in a request, if not, reject it by serving a
404
page. This is just a preliminary check, so I don’t care about the actual
value in the cookie.

So far I’ve tried this: if ($http_cookie !~* “cookie_name=[.]+”) {
return
404; } in a location directive, but despite the cookie is contained in
the
requests, 404 is returned. What should be corrected here? Thanks!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,236394,236394#msg-236394

On Wed, Feb 20, 2013 at 05:10:26PM -0500, mrtn wrote:

I have a http-only and secure (ssl) cookie, and I want nginx to check
whether this cookie exists in a request, if not, reject it by serving a 404
page. This is just a preliminary check, so I don’t care about the actual
value in the cookie.

So far I’ve tried this: if ($http_cookie !~* “cookie_name=[.]+”) { return
404; } in a location directive, but despite the cookie is contained in the
requests, 404 is returned. What should be corrected here? Thanks!

Does it pass if the cookie value starts with a dot?

Every character in the regex means something. “.” probably doesn’t mean
what you think it means here.

Omit the [] and it might work for you. Or you could just test
$cookie_cookie_name directly – does it equal the empty string? If not,
it has a value.

(This doesn’t actually check for http-only or secure, but you probably
know that already.)

f

Francis D. [email protected]

i see. since you mentioned it, is there any way to check for http-only
and
secure properties of a cookie using nginx? In other words, combined with
the
original question above, i want to check if a given a cookie is present
and
it is http-only and secure, otherwise, reject the request with a 404.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,236394,236423#msg-236423

On Thursday 21 February 2013 17:27:58 mrtn wrote:

i see. since you mentioned it, is there any way to check for http-only and
secure properties of a cookie using nginx?

There are no such properties in the Cookie request header.

wbr, Valentin V. Bartenev


http://nginx.com/support.html
http://nginx.org/en/donation.html

On Tuesday 12 March 2013 01:54:01 [email protected] wrote:

http-only and secure are directives intended for browser. If the browser
doesn’t detect HTTP proto for http-only setting and SSL for secure setting
then browser will drop the cookie and will never make it to the web server.

Thank you, I know what “HttpOnly” and “Secure” are. But, please, note
that
these attributes are sent via Set-Cookie header from a web-server
response,
while the question was:

to check if a given a cookie is present and it is http-only and
secure,
otherwise, reject the request with a 404".

There’s no way since they do not present in requests.

wbr, Valentin V. Bartenev


http://nginx.org/en/donation.html

http-only and secure are directives intended for browser. If the browser
doesn’t detect HTTP proto for http-only setting and SSL for secure
setting
then browser will drop the cookie and will never make it to the web
server.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,236394,237245#msg-237245

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs