Quantcast
Viewing all articles
Browse latest Browse all 4759

Setting cookie flag secure

Trying to set the Secure cookie flag for several of my locations. I've tried this with both 1.14.2 & .1.16.0 compiled from source.
I've downloaded and compiled the nginx_cookie_flag_module module against both versions, and the module seems to load successfully.

What I'm trying to achieve:
- browser hits http://qa.internal.com/test.gif
- if it doesn't have a cookie already set:
- set a cookie with UUID (generated with perl mod, which has been working fine), with Secure flag & SameSite set
- redirect to page no-cookie-found.html (302)
- if it does have a cookie already set:
- redirect to page cookie-found.html (302)

How I know it's not working:
- Chrome 74.x developer tools show no status for either Secure or SameSite
- Firefox 67.0 developer tools show no status for either Secure or SameSite

Config snippets:
nginx.conf:
_________________

user nginx;
worker_processes 2;
load_module modules/ngx_http_cookie_flag_filter_module.so;

error_log /var/log/nginx/error.log debug;
....
include /etc/nginx/sites-enabled/*;



/etc/nginx/sites-enabled/site.com:
_________________
server {
listen 80;
server_name qa.internal.com;

access_log /var/log/nginx/qa.internal.com.access.log;
error_log /var/log/nginx/qa.internal.com.error.log debug;

root /var/www/qa.internal.com.com/latest/;
index index.html;

# set_cookie_flag SameSite=Lax secure; <-- tried this up here as well, no workie

location = /test.gif {
if ($cookie_uuid) {
add_header Cache-Control "public";
expires 1d;
# Re-direct locally just to validate rewrite gets hit when testing in lower envs
rewrite ^ http://qa.internal.com/cookie-found.html;
break;
}


add_header Set-Cookie "uuid=$internal_uuid;Expires=12/31/2038;Max-Age=630720000";
set_cookie_flag SameSite=Lax secure;
# proxy_cookie_path /* "/; secure; SameSite=strict"; <-- also tried this without success

# Re-direct locally just to validate rewrite gets hit when testing in lower envs
rewrite ^ http://qa.internal.com/no-cookie-found.html;
}

}

I've moved the set_cookie_flag around in the config (server & location), but nothing seems to work. The cookies are being set, but without the required flags.

Debug output:
__________________
2019/07/10 17:29:10 [notice] 24870#0: *7 rewritten redirect: "http://qa.internal.com/no-cookie-found.html", client: 10.50.0.105, server: qa.internal.com, request: "GET /test.gif HTTP/1.1", host: "qa.internal.com"
2019/07/10 17:29:10 [debug] 24870#0: *7 http finalize request: 302, "/test.gif?" a:1, c:1
2019/07/10 17:29:10 [debug] 24870#0: *7 http special response: 302, "/test.gif?"
2019/07/10 17:29:10 [debug] 24870#0: *7 http set discard body
2019/07/10 17:29:10 [debug] 24870#0: *7 filter http_cookie_flag is enabled
2019/07/10 17:29:10 [debug] 24870#0: *7 perl variable handler
2019/07/10 17:29:10 [debug] 24870#0: *7 perl variable done
2019/07/10 17:29:10 [debug] 24870#0: *7 http script copy: "uuid="
2019/07/10 17:29:10 [debug] 24870#0: *7 http script var: "3aa7408aa33811e9a473e7de29dc7053"
2019/07/10 17:29:10 [debug] 24870#0: *7 http script copy: ";Expires=12/31/2038"
2019/07/10 17:29:10 [debug] 24870#0: *7 HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 10 Jul 2019 17:29:10 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: http://qa.internal.com/no-cookie-found.html
Set-Cookie: uuid=3aa7408aa33811e9a473e7de29dc7053;Expires=12/31/2038

any help is appreciated!

Viewing all articles
Browse latest Browse all 4759

Trending Articles