Opened 7 years ago

Closed 3 weeks ago

#368 closed enhancement (fixed)

RFE: add a proxy_cookie_secure to override cookes to be 'Secure'

Reported by: David Illsley Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.3.x
Keywords: cookie, secure Cc:
uname -a: Linux xxx 2.6.39.4-x1-64 #1 SMP Wed Oct 26 11:52:50 GMT 2011 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.4.1
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.4.1/debian/modules/ngx_http_substitutions_filter_module

Description

When using nginx to do SSL termination, it makes sense that the backend application, when setting a cookie doesn't know to mark it as 'Secure' (1).

It'd therefore be really useful to have a proxy_cookie_secure directive like proxy_cookie_domain and proxy_cookie_path to apply the 'Secure' attribute to cookies being set by a reverse proxied app.

Cheers,
David

(1) http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly

Change History (7)

comment:1 by rugk@…, 5 years ago

After 3 years this is still not done.

I really like the idea and secure cookies are important!

comment:3 by Maxim Dounin, 5 years ago

Feel free to submit a patch if you think this feature is useful. See here for details on how to do it.

comment:4 by jan.reges.siteone.cz@…, 4 years ago

Hi,

cookies have 5 characteristics:

  • domain (implemented modification in Nginx)
  • path (implemented modification in Nginx)
  • secure (NOT implemented modification in Nginx)
  • httpOnly (NOT implemented modification in Nginx)
  • expire (NOT implemented modification in Nginx)

For me, now it is critical "secure" flag. It is possible to hack it by:

proxy_cookie_path / "/; secure";

But it is not great solution. When backend already send "secure" flag, this solution sent double "secure; secure".

I just request this enhancement. I'm not able to submit a patch :-(

Thank you.

comment:5 by AirisX@…, 4 years ago

Try this third-party module.

comment:6 by hanzhangyu@…, 12 months ago

After 7 years this is still not done. How can I remove this flag?

comment:7 by Maxim Dounin, 3 weeks ago

Resolution: fixed
Status: newclosed

The proxy_cookie_flags directive to control cookie flags was introduced in nginx 1.19.3 (d6a5e14aa3e4).

Note: See TracTickets for help on using tickets.