Opened 3 years ago

Last modified 2 years ago

#2161 new enhancement

Allow accessing arbitrary cookies.

Reported by: Kevin Cox Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.19.x
Keywords: Cc: Kevin Cox
uname -a: Linux kevinidea 5.10.27 #1-NixOS SMP Tue Mar 30 12:32:09 UTC 2021 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.18.0
built by gcc 10.2.0 (GCC)
built with OpenSSL 1.1.1k 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/nix/store/zqcmjafbkyr17v9vlswl308i5djmd7mr-nginx-1.18.0 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-threads --with-pcre-jit --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --pid-path=/var/log/nginx/ --http-client-body-temp-path=/var/cache/nginx/client_body --http-proxy-temp-path=/var/cache/nginx/proxy --http-fastcgi-temp-path=/var/cache/nginx/fastcgi --http-uwsgi-temp-path=/var/cache/nginx/uwsgi --http-scgi-temp-path=/var/cache/nginx/scgi --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_image_filter_module --with-http_geoip_module --with-stream_geoip_module --with-file-aio --add-module=/nix/store/dr6n543igdhj589qirfh36m5a5fcg47d-rtmp --add-module=/nix/store/6pb7j6kymf3y4xs5blp3g8mwin2j22kk-dav --add-module=/nix/store/y39g23fn8ikzcd1iy3b1bclqwjk2qmxd-moreheaders


This is a duplicate of, however after 6 years I think it deserves rethinking.

  1. There are standard cookies that aren't [a-zA-Z_] such as the __Secure- and __Host- prefixes (
  2. Parsing cookies is non-trivial. Cookies may or may not be quoted and these are generally treated the same. Furthermore it is easy to match values inside of cookies instead of the cookies themselves (eg foo=bar=baz; bar=hello and a regex bar=foo). Adhoc regexes are not an appropriate tool for cookie parsing.

I think it would be good to encourage robust parsing of cookies and encouraging the use of the __Secure- and __Host- headers by supporting them natively.

Obviously it isn't perfectly clear how to integrate this into nginx configs. Maybe there could be a specific map option for parsing cookies with arbitrary names? Or a new directive for similar. A bigger change to the language would be supporting arbitrarily-named variables. Perhaps a syntax such as ${cookie___Secure-foo} or $"cookie___Secure-foo".

Change History (1)

comment:1 by Maxim Dounin, 2 years ago

Component: documentationnginx-core
Note: See TracTickets for help on using tickets.