Opened 3 years ago

Closed 3 weeks ago

#1339 closed enhancement (fixed)

Missing Secure Attribute

Reported by: prophesy604@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.11.x
Keywords: Cc: osodani@…, kpoonatar@…, jburns@…
uname -a: [CDC\nmk5-su@astv-npin-nginx ~]$ uname -a
Linux astv-npin-nginx 2.6.32-696.3.1.el6.x86_64 #1 SMP Thu Apr 20 11:30:02 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: [CDC\nmk5-su@astv-npin-nginx ~]$ nginx -V
nginx version: nginx/1.11.5 (nginx-plus-r11)
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --build=nginx-plus-r11 --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_jwt_module --with-http_auth_request_module --with-http_dav_module --with-http_f4f_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_hls_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_session_log_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Description

One of our security requirements is that all cookies coming from our nginx server need to have the "Secure" flag set.

We are using a module, ngx_http_userid_module, that sets a user cookie to track visitors. However, this cookie is not set with the Secure flag and the documentation does not have any information on how to force this module to set that user cookie (uid) as secure.

Documentation:
http://nginx.org/en/docs/http/ngx_http_userid_module.html

Our configuration for this module in nginx.conf:

userid on;
userid_name uid;
userid_domain none;
userid_path /;
userid_expires 365d;
userid_p3p 'policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"';

We need nginx support to help us determine if there is a way to mark the uid cookie set by this module as "Secure".

Change History (2)

comment:1 by Maxim Dounin, 3 years ago

Priority: blockerminor
Type: defectenhancement

A quick workaround would be to use something like

userid_path "/; secure";

Such approach allows specifying arbitrary attributes, including "secure" and "httponly".

Please also note that this is a bug tracker for nginx open source server. For nginx-plus support, please use the plus-support@… address instead.

comment:2 by Maxim Dounin, 3 weeks ago

Resolution: fixed
Status: newclosed

The userid_flags directive to provide additional cookie flags is available starting with nginx 1.19.3 (e3e8b8234f05, c0cacad62cc8).

Note: See TracTickets for help on using tickets.