Hi.
I want to bypass Set-Cookie headers from the proxied server to the user agent if the proxy bypasses the request, but without storing it to the cache.
The reason for that is described as followed:
1. The application server always sets a session cookie (SID)
2. The proxy ignores cookies (proxy_ignore_headers Set-Cookie) and caches the response for GET.
3. On login (POST), the application server sets the login-cookie and logs in the user for the current session (SID).
4. The proxy bypasses requests to the application server when the login-cookie (loggedIn) is set (proxy_cache_bypass $cookie_loggedin). Cache is disabled.
So far so good, but the proxy stores the session cookie in its cache files:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 06 Feb 2015 10:42:46 GMT
Content-Type: text/html; charset=utf-8
Set-Cookie: SID=36jr7dlr4vigvhg22bsmtaus34; path=/; domain=.domain.tld
Set-Cookie: lang=en; expires=Sun, 08-Mar-2015 10:42:46 GMT; path=/; domain=.domain.tld
Set-Cookie: cfce=1; path=/; domain=.domain.tld
Expires: Fri, 06 Feb 2015 11:12:46 GMT
When the next guest (without a session) visits the site, he gets the same session of the user who created the cache before.
So we have at least two user agents with the same session. This is a huge problem.
When I try to hide these headers to the user agent by using "proxy_hide_header Set-Cookie", I cant login anymore because the session or login cookies from the application server never reaches the user agent.
What I want is the proxy to bypass the Set-Cookie header if the application server sends one and remove it from the cached response. Is that possible with the nginx standard toolset or do I need plugins?
I'm using nginx 1.5.0.
Best,
Mike Reiche (Admin tyclipso.net)
I want to bypass Set-Cookie headers from the proxied server to the user agent if the proxy bypasses the request, but without storing it to the cache.
The reason for that is described as followed:
1. The application server always sets a session cookie (SID)
2. The proxy ignores cookies (proxy_ignore_headers Set-Cookie) and caches the response for GET.
3. On login (POST), the application server sets the login-cookie and logs in the user for the current session (SID).
4. The proxy bypasses requests to the application server when the login-cookie (loggedIn) is set (proxy_cache_bypass $cookie_loggedin). Cache is disabled.
So far so good, but the proxy stores the session cookie in its cache files:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 06 Feb 2015 10:42:46 GMT
Content-Type: text/html; charset=utf-8
Set-Cookie: SID=36jr7dlr4vigvhg22bsmtaus34; path=/; domain=.domain.tld
Set-Cookie: lang=en; expires=Sun, 08-Mar-2015 10:42:46 GMT; path=/; domain=.domain.tld
Set-Cookie: cfce=1; path=/; domain=.domain.tld
Expires: Fri, 06 Feb 2015 11:12:46 GMT
When the next guest (without a session) visits the site, he gets the same session of the user who created the cache before.
So we have at least two user agents with the same session. This is a huge problem.
When I try to hide these headers to the user agent by using "proxy_hide_header Set-Cookie", I cant login anymore because the session or login cookies from the application server never reaches the user agent.
What I want is the proxy to bypass the Set-Cookie header if the application server sends one and remove it from the cached response. Is that possible with the nginx standard toolset or do I need plugins?
I'm using nginx 1.5.0.
Best,
Mike Reiche (Admin tyclipso.net)