NGINX and Cookies are hijacking on clients on the same network(NAT)

We are experiencing a problem after the adoption of nginx as a server
(apache had before).

It turns out that we are seeing many cases of clients that access data
from other users in the session. This is because the login system (PHP)
are stored in cookies. These cookies are being “shared” in computers on
the same corporate network.

We realize that this problem only happens for several customers who are
on the same network - that is, have the same external IP shared via
single access point(NAT).

We’ve tried to do much to avoid the problem by adding validations and
hash on cookies, but eventually realized that our server simply can not
store cookies properly, and for the same network multiple machines share
the cookie, which must be just a browser .

We are not sure if the problem is in NGINX, but we suspect it before the
migration of APACHE -> nginx does not have the problem.

Is there some setting that can be done to remedy this problem?

Thanks for the help!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,220498,220498#msg-220498

Hello!

On Mon, Dec 26, 2011 at 12:18:54PM -0500, joao_neto wrote:

single access point(NAT).

We’ve tried to do much to avoid the problem by adding validations and
hash on cookies, but eventually realized that our server simply can not
store cookies properly, and for the same network multiple machines share
the cookie, which must be just a browser .

We are not sure if the problem is in NGINX, but we suspect it before the
migration of APACHE -> nginx does not have the problem.

Is there some setting that can be done to remedy this problem?

I suspect the problem isn’t NAT, but instead corporate proxy with
cache. Symptoms described suggest that cookies are set without
proper cache-control headers to prevent caching.

This may be either backend problem (i.e. you just don’t add proper
headers in php; usually this is handled by php automatically as
described in [1], though may be improperly configured) or nginx
configuration problem (it’s easy to strip/change headers in nginx, and
you could accidently do it).

[1] http://php.net/manual/en/function.session-cache-limiter.php

Maxim D.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs