Opened 7 years ago
Closed 4 years ago
#1339 closed enhancement (fixed)
Missing Secure Attribute
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-module | Version: | 1.11.x |
Keywords: | Cc: | osodani@…, kpoonatar@…, jburns@… | |
uname -a: |
[CDC\nmk5-su@astv-npin-nginx ~]$ uname -a
Linux astv-npin-nginx 2.6.32-696.3.1.el6.x86_64 #1 SMP Thu Apr 20 11:30:02 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux |
||
nginx -V: |
[CDC\nmk5-su@astv-npin-nginx ~]$ nginx -V
nginx version: nginx/1.11.5 (nginx-plus-r11) built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --build=nginx-plus-r11 --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_jwt_module --with-http_auth_request_module --with-http_dav_module --with-http_f4f_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_hls_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_session_log_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' |
Description
One of our security requirements is that all cookies coming from our nginx server need to have the "Secure" flag set.
We are using a module, ngx_http_userid_module, that sets a user cookie to track visitors. However, this cookie is not set with the Secure flag and the documentation does not have any information on how to force this module to set that user cookie (uid) as secure.
Documentation:
http://nginx.org/en/docs/http/ngx_http_userid_module.html
Our configuration for this module in nginx.conf:
userid on;
userid_name uid;
userid_domain none;
userid_path /;
userid_expires 365d;
userid_p3p 'policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"';
We need nginx support to help us determine if there is a way to mark the uid cookie set by this module as "Secure".
Change History (2)
comment:1 by , 7 years ago
Priority: | blocker → minor |
---|---|
Type: | defect → enhancement |
comment:2 by , 4 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
The userid_flags directive to provide additional cookie flags is available starting with nginx 1.19.3 (e3e8b8234f05, c0cacad62cc8).
A quick workaround would be to use something like
Such approach allows specifying arbitrary attributes, including "secure" and "httponly".
Please also note that this is a bug tracker for nginx open source server. For nginx-plus support, please use the plus-support@… address instead.