Forum: NGINX cookie injection / verification / redirect

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
D0a98f6304ff122ac9b487ff8275d8bb?d=identicon&s=25 Payam Chychi (Guest)
on 2009-01-23 05:36
(Received via mailing list)
Hey Guys,

Im trying to see what the best way of doing this would be... any and
all thoughts are greatly appreciated.

a) client --> proxy --> [cookie set?] if yes, proxy connection to
$origin. call it a day
b) client --> proxy --> [cookie set?] if no, set cookie, redirect
client to proxy and see if the cookie is set, if No, keep looping; if
yes, proxy connection to $origin.

I see that you can use the following ways to inject cookie into the
header:

        add_header    Cookie  "mysuperdoopercookiehere";
or
        userid          on;
        userid_name     uid;
        userid_domain   domainname_here.com;

Using firefox cookie header add-on, ive been able to confirm that the
cookie injection works just fine however, I haven't a clue on how to
properly write the redirect so that if the cookie is not set, set it
and have the client re-establish connection with the cookie added to
the header  and if the connection has a cookie set then pass it to the
proxy.

Any help with this would greatly be appreciated... ive been banging my
head to my desk for the last 2 days.

Thanks in advance,
Payam
Ed6583386f2b2d56e1b5eb2ee236da39?d=identicon&s=25 Nick Pearson (Guest)
on 2009-01-23 06:13
(Received via mailing list)
I haven't tested this myself, but I believe it should do what you want.

if ($http_cookie !~ 'my_cookie=some_value') {
    add_header  Cookie  'my_cookie=some_value';
    rewrite  (.*)  $1  last;
    break;
}
# statements hereafter will only be reached if the cookie is properly
set

I'm not sure the 'break' is necessary since the previous statement ends
with
'last', but I see it in examples quite a bit.

Be mindful that this will cause an infinite loop (and an eventual
client-side error message) for browsers with cookie support turned off.
It
might be better to redirect users to something like /cookie_added, then
when
a request comes in for /cookie_added, rewrite the request internally to
remove /cookie_added from the URI and process as normal.  You could even
check the URI, and if it is for /cookie_added but the cookie is not set,
you
could show a friendly warning message instructing the user that cookies
are
required for your site.

Hope that helps.

Nick
This topic is locked and can not be replied to.