I have a http-only and secure (ssl) cookie, and I want nginx to check
whether this cookie exists in a request, if not, reject it by serving a
404
page. This is just a preliminary check, so I don’t care about the actual
value in the cookie.
So far I’ve tried this: if ($http_cookie !~* “cookie_name=[.]+”) {
return
404; } in a location directive, but despite the cookie is contained in
the
requests, 404 is returned. What should be corrected here? Thanks!
Posted at Nginx Forum:
On Wed, Feb 20, 2013 at 05:10:26PM -0500, mrtn wrote:
I have a http-only and secure (ssl) cookie, and I want nginx to check
whether this cookie exists in a request, if not, reject it by serving a 404
page. This is just a preliminary check, so I don’t care about the actual
value in the cookie.So far I’ve tried this: if ($http_cookie !~* “cookie_name=[.]+”) { return
404; } in a location directive, but despite the cookie is contained in the
requests, 404 is returned. What should be corrected here? Thanks!
Does it pass if the cookie value starts with a dot?
Every character in the regex means something. “.” probably doesn’t mean
what you think it means here.
Omit the [] and it might work for you. Or you could just test
$cookie_cookie_name directly – does it equal the empty string? If not,
it has a value.
(This doesn’t actually check for http-only or secure, but you probably
know that already.)
Francis D. [email protected]
i see. since you mentioned it, is there any way to check for http-only
and
secure properties of a cookie using nginx? In other words, combined with
the
original question above, i want to check if a given a cookie is present
and
it is http-only and secure, otherwise, reject the request with a 404.
Posted at Nginx Forum:
On Thursday 21 February 2013 17:27:58 mrtn wrote:
i see. since you mentioned it, is there any way to check for http-only and
secure properties of a cookie using nginx?
There are no such properties in the Cookie request header.
wbr, Valentin V. Bartenev
–
On Tuesday 12 March 2013 01:54:01 [email protected] wrote:
http-only and secure are directives intended for browser. If the browser
doesn’t detect HTTP proto for http-only setting and SSL for secure setting
then browser will drop the cookie and will never make it to the web server.
Thank you, I know what “HttpOnly” and “Secure” are. But, please, note
that
these attributes are sent via Set-Cookie header from a web-server
response,
while the question was:
to check if a given a cookie is present and it is http-only and
secure,
otherwise, reject the request with a 404".
There’s no way since they do not present in requests.
wbr, Valentin V. Bartenev
http-only and secure are directives intended for browser. If the browser
doesn’t detect HTTP proto for http-only setting and SSL for secure
setting
then browser will drop the cookie and will never make it to the web
server.
Posted at Nginx Forum:
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs