RE: secure and httponly cookies

2016-03-08 Thread Aleksandar Lazic
n nginx? Aleks FROM: nginx [mailto:nginx-boun...@nginx.org] ON BEHALF OF Aapo Talvensaari SENT: Monday, March 07, 2016 11:34 PM TO: nginx@nginx.org SUBJECT: Re: secure and httponly cookies On Tuesday, 8 March 2016, Krishna Kumar K K wrote: I am able to modify the set-cookie header from the s

RE: secure and httponly cookies

2016-03-07 Thread Krishna Kumar K K
Thing is its failing in the vulnerability scan (nexpose tool is used) saying cookie is not secure or httponly. From: nginx [mailto:nginx-boun...@nginx.org] On Behalf Of Aapo Talvensaari Sent: Monday, March 07, 2016 11:34 PM To: nginx@nginx.org Subject: Re: secure and httponly cookies On Tuesday

Re: secure and httponly cookies

2016-03-07 Thread Aapo Talvensaari
On Tuesday, 8 March 2016, Krishna Kumar K K wrote: > I am able to modify the set-cookie header from the server to flag it > secure. I am trying to do the same in the request header as well. > Those flags are instructions to client. They don't have meaning on request headers. Only on response hea

RE: secure and httponly cookies

2016-03-07 Thread Krishna Kumar K K
Subject: Re: secure and httponly cookies On Mon, Mar 07, 2016 at 09:50:00PM +, Krishna Kumar K K wrote: Hi there, > I have tried exactly the same as in this page:- > > proxy_cookie_path / "/; secure; HttpOnly"; > > it sets the flags on the cookie in the response header,

Re: secure and httponly cookies

2016-03-07 Thread Francis Daly
On Mon, Mar 07, 2016 at 09:50:00PM +, Krishna Kumar K K wrote: Hi there, > I have tried exactly the same as in this page:- > > proxy_cookie_path / "/; secure; HttpOnly"; > > it sets the flags on the cookie in the response header, but when I refresh > the page, it is sending the cookies in

RE: secure and httponly cookies

2016-03-07 Thread Krishna Kumar K K
-IP $remote_addr; proxy_set_headerX-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_headerX-Forwarded-Proto $scheme; proxy_pass http:///; proxy_read_timeout 90; } } -Original Message- From: Krishna Kumar K K Sent: Monday, March 07, 2016 1:50 PM To: nginx@ngin

RE: secure and httponly cookies

2016-03-07 Thread Krishna Kumar K K
s, Krishna -Original Message- From: nginx [mailto:nginx-boun...@nginx.org] On Behalf Of Aleksandar Lazic Sent: Monday, March 07, 2016 1:16 PM To: nginx@nginx.org Subject: Re: secure and httponly cookies Hi. Am 07-03-2016 21:15, schrieb kris...@brocade.com: > Here, nginx is proxy passing the reques

Re: secure and httponly cookies

2016-03-07 Thread Aleksandar Lazic
Hi. Am 07-03-2016 21:15, schrieb kris...@brocade.com: Here, nginx is proxy passing the requests to webseal and webseal sends the response with cookies. We are trying to rewrite this cookie headers. Please can you show us how you have tried to do this. As you can see on this pages there shoul

Re: secure and httponly cookies

2016-03-07 Thread Robert Paprocki
There's a relevant resty library as well - https://github.com/cloudflare/lua-resty-cookie > On Mar 7, 2016, at 12:31, Aapo Talvensaari wrote: > >> On 7 March 2016 at 22:15, kris...@brocade.com >> wrote: >> Could you tell me more about LUA or some links where i can read about it? > > Here you

Re: secure and httponly cookies

2016-03-07 Thread Aapo Talvensaari
On 7 March 2016 at 22:15, kris...@brocade.com wrote: > > Could you tell me more about LUA or some links where i can read about it? > Here you go: https://github.com/openresty/lua-nginx-module#header_filter_by_lua There you can replace the Set-Cookie-headers, and append HttpOnly and Secure flags.

Re: secure and httponly cookies

2016-03-07 Thread kris...@brocade.com
Here, nginx is proxy passing the requests to webseal and webseal sends the response with cookies. We are trying to rewrite this cookie headers. Could you tell me more about LUA or some links where i can read about it? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265137,265142#msg-26

Re: secure and httponly cookies

2016-03-07 Thread Lucas Rolff
Without knowing much about webseal (only simple googling), webseal really seems to be a very custom IBM product that does one thing: Integrate into Tivoli Access Manager - meaning they've very specific features (such as single sign-on) etc. nginx is a general webserver, it doesn't hook into your

Re: secure and httponly cookies

2016-03-07 Thread kris...@brocade.com
Thanks for the response. Yes, i understand that. But here they dont create a secure or httponly cookie in the backend (webseal/ibm portal). Earlier we were using ibm http server (IHS) and were adding these flags in the web server itself. Now we are trying to replace IHS with nginx but not able t

Re: secure and httponly cookies

2016-03-07 Thread Lucas Rolff
This isn't really something you do on your web server but rather in your backend configuration (such as php.ini), etc. kris...@brocade.com 7 March 2016 at 20:38 Hi, How to mark all the cookies from the backend servers as secure and httponly? Is there some

secure and httponly cookies

2016-03-07 Thread kris...@brocade.com
Hi, How to mark all the cookies from the backend servers as secure and httponly? Is there some config in NGINX available for this? Thanks, Krishna Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265137,265137#msg-265137 ___ nginx mailing l