Secure and httponly cookies

Hi,

How to mark all the cookies from the backend servers as secure and
httponly?

Is there some config in NGINX available for this?

Thanks,
Krishna

Posted at Nginx Forum:

This isn’t really something you do on your web server but rather in your
backend configuration (such as php.ini), etc.

Thanks for the response.

Yes, i understand that. But here they dont create a secure or httponly
cookie in the backend (webseal/ibm portal).

Earlier we were using ibm http server (IHS) and were adding these flags
in
the web server itself.

Now we are trying to replace IHS with nginx but not able to accomplish
the
same here.

Posted at Nginx Forum:

Here, nginx is proxy passing the requests to webseal and webseal sends
the
response with cookies.
We are trying to rewrite this cookie headers.
Could you tell me more about LUA or some links where i can read about
it?

Posted at Nginx Forum:

Without knowing much about webseal (only simple googling), webseal
really seems to be a very custom IBM product that does one thing:
Integrate into Tivoli Access Manager - meaning they’ve very specific
features (such as single sign-on) etc.
nginx is a general webserver, it doesn’t hook into your backend system,
usually you proxy some requests to it, or serve some files.

The only way I can think of, is by using LUA to rewrite the Set-Cookie
headers, but it’s not really a nice solution.

There’s a relevant resty library as well -

Hi.

Am 07-03-2016 21:15, schrieb [email protected]:

Here, nginx is proxy passing the requests to webseal and webseal sends
the
response with cookies.
We are trying to rewrite this cookie headers.

Please can you show us how you have tried to do this.

As you can see on this pages there should be a option with ‘plain’ nginx
:wink:

https://maximilian-boehm.com/hp2134/NGINX-as-Proxy-Rewrite-Set-Cookie-to-Secure-and-HttpOnly.htm

Please can you also post the output of nginx -V and the config.

Cheers Aleks

On 7 March 2016 at 22:15, [email protected]
[email protected]
wrote:

Could you tell me more about LUA or some links where i can read about it?

Here you go:

There you can replace the Set-Cookie-headers, and append HttpOnly and
Secure flags.

I have tried exactly the same as in this page:-

proxy_cookie_path / “/; secure; HttpOnly”;

it sets the flags on the cookie in the response header, but when I
refresh the page, it is sending the cookies in the requests header
without these flags, it just resets it.

Thanks,
Krishna

Nginx -V

nginx version: nginx/1.8.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
–conf-path=/etc/nginx/nginx.conf
–error-log-path=/var/log/nginx/error.log
–http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
–lock-path=/var/run/nginx.lock
–http-client-body-temp-path=/var/cache/nginx/client_temp
–http-proxy-temp-path=/var/cache/nginx/proxy_temp
–http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
–http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
–http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
–group=nginx --with-http_ssl_module --with-http_realip_module
–with-http_addition_module --with-http_sub_module
–with-http_dav_module --with-http_flv_module --with-http_mp4_module
–with-http_gunzip_module --with-http_gzip_static_module
–with-http_random_index_module --with-http_secure_link_module
–with-http_stub_status_module --with-http_auth_request_module
–with-mail --with-mail_ssl_module --with-file-aio --with-ipv6
–with-http_spdy_module --with-cc-opt=’-O2
-g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
–param=ssp-buffer-size=4 -m64 -mtune=generic’

Config:-

#Security
server_tokens off; #Turn off version number
add_header X-Frame-Options “SAMEORIGIN”; #Turn off click jacking; so
no frames
add_header X-XSS-Protection “1; mode=block”;
add_header X-Content-Type-Options nosniff;

Redirect all insecure requests to the secure port

server {
listen <IP_address>:80 ;
server_name ;
return 301 https://<server_name>$request_uri;
}

Serve SSL encrypted data

server {
listen <IP_address>:443 default_server ssl;
add_header Strict-Transport-Security max-age=15768000;
server_name <server_name>;

access_log /web/nginx/servers/name/logs/access.log;
error_log /web/nginx/servers/name/logs/ error.log;

Security

ssl on;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers
‘EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4’;

Specify the certificate and key

ssl_certificate /etc/nginx/ssl/name/server.name.com.crt;
ssl_certificate_key /etc/nginx/ssl/name/server.name.com.key;

location /download/ {
rewrite
^/download/vadxeval$ “https:///mybrocade/secure/navigate?nid=n32&prodCode=VIRTUAL_ADX&pname=VADX_DOWNLOAD&completePath=downloads/Virtual
ADX/Virtual ADX_Eval” break;
rewrite
^/download/apitoolkit$ “https:// /mybrocade/secure/navigate?nid=n30&prodCode=BRD_API_SUPPORT&prodCatCode=API&pname=VYATTA_DOWNLOAD&completePath=Brocade
API Toolkit” break;
}

location / {
rewrite ^/$ https:// /wps/myportal/ break;
rewrite ^/wps/portal$ http:// /wps/myportal/ break;

    index index.html;
    root /web/nginx/servers/name/conf;
proxy_set_header        Host $server_name;
proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header        X-Forwarded-Proto $scheme;

proxy_pass http://<webseal_hostname>/;
proxy_read_timeout 90;

}
}

I am able to modify the set-cookie header from the server to flag it
secure. I am trying to do the same in the request header as well.

On Mon, Mar 07, 2016 at 09:50:00PM +0000, Krishna Kumar K K wrote:

Hi there,

I have tried exactly the same as in this page:-

proxy_cookie_path / “/; secure; HttpOnly”;

it sets the flags on the cookie in the response header, but when I refresh the
page, it is sending the cookies in the requests header without these flags, it
just resets it.

That sounds like it is doing exactly what it should, no?

Flags are sent by the server in Set-Cookie response headers. Cookies
are sent by the client (or not) in Cookie request headers.

What behaviour do you want that you are not seeing?

f

Francis D. [email protected]

Thing is its failing in the vulnerability scan (nexpose tool is used)
saying cookie is not secure or httponly.

From: nginx [mailto:[email protected]] On Behalf Of Aapo
Talvensaari
Sent: Monday, March 07, 2016 11:34 PM
To: [email protected]
Subject: Re: secure and httponly cookies

On Tuesday, 8 March 2016, Krishna Kumar K K
<[email protected]mailto:[email protected]> wrote:
I am able to modify the set-cookie header from the server to flag it
secure. I am trying to do the same in the request header as well.

Those flags are instructions to client. They don’t have meaning on
request headers. Only on response headers.

On Tuesday, 8 March 2016, Krishna Kumar K K [email protected] wrote:

I am able to modify the set-cookie header from the server to flag it
secure. I am trying to do the same in the request header as well.

Those flags are instructions to client. They don’t have meaning on
request
headers. Only on response headers.

Hi.

Am 08-03-2016 08:44, schrieb Krishna Kumar K K:

Thing is its failing in the vulnerability scan (nexpose tool is used)
saying cookie is not secure or httponly.

As Aapo said the request header is a client header.
This is only changeable at client side with some javascript code.

If you want to use such a solution you can try this module.
http://nginx.org/en/docs/http/ngx_http_addition_module.html

But to be more precise which request header do you want to change?

client request → nginx request → IBM WebSeal request → Other
backend
??? ???

http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header

You can also try to use the 'add_header … ’ that the client receive
the
additional header and send it back at the following requests.

http://nginx.org/en/docs/http/ngx_http_headers_module.html

As for the scanner he get’s the cookie from the response not from the
request, afaik.
Maybe you can turn on the debug logging and see what the scanner gets as
response.

http://nginx.org/en/docs/debugging_log.html

Maybe you will need the nginx-debug package.
What’s your system on which you run nginx?

Aleks