Forum: NGINX Protect link with cookies?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
0a09f8d706b212e7ec75cc84e9f561cd?d=identicon&s=25 Artifex Maximus (Guest)
on 2009-06-09 13:39
(Received via mailing list)
Hello!

I am pretty newbie to nginx and having problem on protecting my links.
I am using valid_referers but is it possible using cookies for make it
stronger?

For example I set cookie uid with nginx's userid in 'location / {}'
and check somehow under 'location /download/ {}' for cookie uid. Is it
possible or just a dream? Userid was just an idea and not necessary.
And any other ideas are welcome as well because cheating referer is
easy task.

Bye,
Zsolt
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-06-09 14:36
(Received via mailing list)
On Tue, Jun 09, 2009 at 01:30:50PM +0200, Artifex Maximus wrote:

> easy task.
location /download/ {
        if ($cooke_NAME = '') {
            return 403;
        }
    }
0a09f8d706b212e7ec75cc84e9f561cd?d=identicon&s=25 Artifex Maximus (Guest)
on 2009-06-09 14:55
(Received via mailing list)
Hello!

2009/6/9 Igor Sysoev <is@rambler-co.ru>:
>> easy task.
>
>    location /download/ {
>        if ($cooke_NAME = '') {
>            return 403;
>        }
>    }

Looks nice. Thank you Igor!

Bye,
Zsolt
0a09f8d706b212e7ec75cc84e9f561cd?d=identicon&s=25 Artifex Maximus (Guest)
on 2009-06-10 12:25
(Received via mailing list)
Hello!

On Tue, Jun 9, 2009 at 2:48 PM, Artifex Maximus<artifexor@gmail.com>
wrote:
>>> And any other ideas are welcome as well because cheating referer is
>>> easy task.
>>
>>    location /download/ {
>>        if ($cooke_NAME = '') {
>>            return 403;
>>        }
>>    }
>
> Looks nice. Thank you Igor!

And working perfectly though. Is there any simple solution (without
PHP or any external utility) to tracking this cookies? I mean storing
cookies in database and checking that cookie have sent is valid or
not. Or is it too complex and not nginx task?

Bye,
Zsolt
4047860c1dcc8eb044b647ba4ecda617?d=identicon&s=25 merlin corey (Guest)
on 2009-06-11 00:00
(Received via mailing list)
That is precisely the kind of control required to take place in an
upstream application, not nginx.  Nginx should be thought of as sort
of a signal processor, that is, it sits in a stream and does its
business as quickly and efficiently as possible.  Waiting on databases
is neither quick nor efficient.

Also there is nothing secure about cookies, which can be completely
manipulated by the client.  Session data, on the other hand, is
internal and therefore much more reliable (and is basically what you
want to use).

-- Merlin
0a09f8d706b212e7ec75cc84e9f561cd?d=identicon&s=25 Artifex Maximus (Guest)
on 2009-06-11 12:18
(Received via mailing list)
Hello!

On Wed, Jun 10, 2009 at 11:53 PM, merlin corey
<merlincorey@dc949.org>wrote:

> That is precisely the kind of control required to take place in an
> upstream application, not nginx.  Nginx should be thought of as sort
> of a signal processor, that is, it sits in a stream and does its
> business as quickly and efficiently as possible.  Waiting on databases
> is neither quick nor efficient.


First of all thanks for your answer Merlin!

I think it as an option so user have the choice using it or not. And in
this
way user decides to put load on server or not. But in short there is no
such
option.



> Also there is nothing secure about cookies, which can be completely
> manipulated by the client.  Session data, on the other hand, is
> internal and therefore much more reliable (and is basically what you
> want to use).


I know it but not as easy as cheating on referrer. I do not look for
writing
the perfect protection system actually but good enough for basic
protection
and using as much of different techniques as possible but not more. And
I do
not want to write any external code (PHP in my case) let's say I am
lazy. If
I am able to store and retrieve used cookies and their deadline within
nginx
the system would be pretty useful.

Is nginx have session data or some external processing required?

Bye,
Zsolt
4047860c1dcc8eb044b647ba4ecda617?d=identicon&s=25 merlin corey (Guest)
on 2009-06-12 00:07
(Received via mailing list)
NginX does not provide any kind of internal API for session data or
anything of that sort...  You could do what you want with embedded
perl, probably, if you really want to keep it in NginX, otherwise
you're back to using $cookie_name variables (which is probably the
easiest/fastest solution) or you will want to write a module for NginX
itself.

-- Merlin
0a09f8d706b212e7ec75cc84e9f561cd?d=identicon&s=25 Artifex Maximus (Guest)
on 2009-06-12 11:46
(Received via mailing list)
Hello!
Thanks, I see. Because I do not have time for develop in C, PHP, Perl,
etc
everything is remain as is.

Bye,
Zsolt

2009/6/11 merlin corey <merlincorey@dc949.org>
This topic is locked and can not be replied to.