Opened 11 years ago
Closed 4 years ago
#368 closed enhancement (fixed)
RFE: add a proxy_cookie_secure to override cookes to be 'Secure'
| Reported by: | David Illsley | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.3.x |
| Keywords: | cookie, secure | Cc: | |
| uname -a: | Linux xxx 2.6.39.4-x1-64 #1 SMP Wed Oct 26 11:52:50 GMT 2011 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.4.1
TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.4.1/debian/modules/ngx_http_substitutions_filter_module |
||
Description
When using nginx to do SSL termination, it makes sense that the backend application, when setting a cookie doesn't know to mark it as 'Secure' (1).
It'd therefore be really useful to have a proxy_cookie_secure directive like proxy_cookie_domain and proxy_cookie_path to apply the 'Secure' attribute to cookies being set by a reverse proxied app.
Cheers,
David
(1) http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly
Change History (7)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
Here some questions on Stackoverflow and similar sites about this feature:
https://serverfault.com/questions/496749/in-nginx-reverse-proxy-how-to-set-the-secure-flag-for-cookies
http://whatwithhow.com/questions/bma2/adding-httponly-and-secure-cookie-flags-on-nginx-php
https://stackoverflow.com/questions/29246512/how-to-force-a-secure-cookie-over-http-with-rails
comment:3 by , 9 years ago
Feel free to submit a patch if you think this feature is useful. See here for details on how to do it.
comment:4 by , 8 years ago
Hi,
cookies have 5 characteristics:
- domain (implemented modification in Nginx)
- path (implemented modification in Nginx)
- secure (NOT implemented modification in Nginx)
- httpOnly (NOT implemented modification in Nginx)
- expire (NOT implemented modification in Nginx)
For me, now it is critical "secure" flag. It is possible to hack it by:
proxy_cookie_path / "/; secure";
But it is not great solution. When backend already send "secure" flag, this solution sent double "secure; secure".
I just request this enhancement. I'm not able to submit a patch :-(
Thank you.
comment:7 by , 4 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
The proxy_cookie_flags directive to control cookie flags was introduced in nginx 1.19.3 (d6a5e14aa3e4).
After 3 years this is still not done.
I really like the idea and secure cookies are important!