Protect link with cookies?


#1

Hello!

I am pretty newbie to nginx and having problem on protecting my links.
I am using valid_referers but is it possible using cookies for make it
stronger?

For example I set cookie uid with nginx’s userid in ‘location / {}’
and check somehow under ‘location /download/ {}’ for cookie uid. Is it
possible or just a dream? Userid was just an idea and not necessary.
And any other ideas are welcome as well because cheating referer is
easy task.

Bye,
Zsolt


#2

On Tue, Jun 09, 2009 at 01:30:50PM +0200, Artifex Maximus wrote:

easy task.
location /download/ {
if ($cooke_NAME = ‘’) {
return 403;
}
}


#3

Hello!

2009/6/9 Igor S. removed_email_address@domain.invalid:

easy task.

location /download/ {
if ($cooke_NAME = ‘’) {
return 403;
}
}

Looks nice. Thank you Igor!

Bye,
Zsolt


#4

Hello!

On Tue, Jun 9, 2009 at 2:48 PM, Artifex Maximusremoved_email_address@domain.invalid
wrote:

And any other ideas are welcome as well because cheating referer is
easy task.

location /download/ {
if ($cooke_NAME = ‘’) {
return 403;
}
}

Looks nice. Thank you Igor!

And working perfectly though. Is there any simple solution (without
PHP or any external utility) to tracking this cookies? I mean storing
cookies in database and checking that cookie have sent is valid or
not. Or is it too complex and not nginx task?

Bye,
Zsolt


#5

That is precisely the kind of control required to take place in an
upstream application, not nginx. Nginx should be thought of as sort
of a signal processor, that is, it sits in a stream and does its
business as quickly and efficiently as possible. Waiting on databases
is neither quick nor efficient.

Also there is nothing secure about cookies, which can be completely
manipulated by the client. Session data, on the other hand, is
internal and therefore much more reliable (and is basically what you
want to use).

– Merlin


#6

NginX does not provide any kind of internal API for session data or
anything of that sort… You could do what you want with embedded
perl, probably, if you really want to keep it in NginX, otherwise
you’re back to using $cookie_name variables (which is probably the
easiest/fastest solution) or you will want to write a module for NginX
itself.

– Merlin


#7

Hello!

On Wed, Jun 10, 2009 at 11:53 PM, merlin corey
removed_email_address@domain.invalidwrote:

That is precisely the kind of control required to take place in an
upstream application, not nginx. Nginx should be thought of as sort
of a signal processor, that is, it sits in a stream and does its
business as quickly and efficiently as possible. Waiting on databases
is neither quick nor efficient.

First of all thanks for your answer Merlin!

I think it as an option so user have the choice using it or not. And in
this
way user decides to put load on server or not. But in short there is no
such
option.

Also there is nothing secure about cookies, which can be completely
manipulated by the client. Session data, on the other hand, is
internal and therefore much more reliable (and is basically what you
want to use).

I know it but not as easy as cheating on referrer. I do not look for
writing
the perfect protection system actually but good enough for basic
protection
and using as much of different techniques as possible but not more. And
I do
not want to write any external code (PHP in my case) let’s say I am
lazy. If
I am able to store and retrieve used cookies and their deadline within
nginx
the system would be pretty useful.

Is nginx have session data or some external processing required?

Bye,
Zsolt


#8

Hello!
Thanks, I see. Because I do not have time for develop in C, PHP, Perl,
etc
everything is remain as is.

Bye,
Zsolt

2009/6/11 merlin corey removed_email_address@domain.invalid