Nginx accept set-cookie but hide it from the client?

Hello,

I have a reverse proxy setup on a website and I’m proxying logged in
pages.
Everything works except there is a vulnerability in my setup.

I login to the site and I can cache the pages. I share these pages with
everyone else.

However there is a problem with how the set-cookie is passed onto the
user
when I just want nginx to keep it.

Is there a way to make nginx stay logged into the site, and hide the
set-cookie passed onto the client?

I’ve tried: proxy_hide_header Set-Cookie;

but that just logs out the session and can no longer access the
protected
pages. When the set-cookie is passed onto the user they can save that
cookie
and load it up into their browser and be able to login and “hack” the
account.

Is there a way to keep nginx logged in, without exposing the set-cookie?

Posted at Nginx Forum:

On 5 May 2013 20:05, nano [email protected] wrote:

Is there a way to make nginx stay logged into the site, and hide the
set-cookie passed onto the client?

I don’t think you’ve fully thought this through.

To help you realise what you’ve missed, please think this through and
answer:

What mechanism do you expect your application to use, in order to know
that a request comes from authenticated client A and not
unauthenticated client B, and hence access to a certain protected page
should be granted?

I’ve tried: proxy_hide_header Set-Cookie;

but that just logs out the session and can no longer access the protected
pages. When the set-cookie is passed onto the user they can save that cookie
and load it up into their browser and be able to login and “hack” the
account.

I really don’t understand what hacking you think might be going on
here. An authenticated user geting access to the protected resources
that their account /should/ allow them to? What is /wrong/ here?

Is there a way to keep nginx logged in, without exposing the set-cookie?

In general, cookies (should) render pages uncacheable, except if
you’re caching them per-user. Which is nasty.

What you’re describing is, as far as I can see, a lossy process,
leading to information being dropped at the nginx->client
communication stage, and will not work.

Of course, if you’re mucking around with someone else’s site, and
only have one login for it which you wish to share amongst multiple
front-end users, you could use

proxy_set_header Cookie “hard-coded logged-in user’s cookie”

… but that’s pretty horrible; both technically and morally. Don’t do
that.

Regards,
Jonathan

Jonathan M. // Oxford, London, UK
http://www.jpluscplusm.com/contact.html

Thank you for the reply Jonathan.

My intentions are not malicious. The site in question is
http://turkopticon.differenceengines.com/ and to read reports on that
site
one has to be logged in. The site is incredibly slow and I had an idea
to
cache the review data so reports on “bad requesters” (mturk requesters)
will
be easily available for access.

However using my account to proxy reviews and cache them, has resulted
in
someone changing my password. Nothing was lost, but to cache pages and
make
them available for everyone I need a way to hide the Set-Cookie session
from
everyone or else it exposes my account.

The site isn’t really “private” but the reviews are password protected
to
encourage user registration.

Posted at Nginx Forum:

Thank you again for the reply Jonathan,

I’m sorry. This is not my application I am just trying to “mirror” it.

Without losing hope for caching, is there a way I can cache the pages
and
only show the data to logged in clients?

What would I have to do to make sure the user is logged in on the site
before showing them a cached result?

Does commenting out

proxy_ignore_headers Set-Cookie;

See if the client is logged in?

Posted at Nginx Forum:

On 5 May 2013 21:00, nano [email protected] wrote:

them available for everyone I need a way to hide the Set-Cookie session from
everyone or else it exposes my account.

I don’t understand. Do you control the back-end application that is
consuming the cookies, or is it someone else’s site?

The site isn’t really “private” but the reviews are password protected to
encourage user registration.

What you are asking people on this list to help you with appears to
subvert this website’s wishes, and leads me to suspect that you don’t
control it.

Whatever your intentions are, malicious or otherwise, until you can
confirm that you’re merely proxying your own application I’m not going
to be able to help you.

Jonathan

Jonathan M. // Oxford, London, UK
http://www.jpluscplusm.com/contact.html

I can’t help you any further.

Jonathan

Jonathan M. // Oxford, London, UK
http://www.jpluscplusm.com/contact.html

I appreciate your responses Jonathan. Thank you for replying!

Posted at Nginx Forum: