Questions tagged [cookies]
The cookies tag has no usage guidance.
133
questions
39
votes
3
answers
117k
views
How to rewrite the domain part of Set-Cookie in a nginx reverse proxy?
I have a simple nginx reverse proxy:
server {
server_name external.domain.com;
location / {
proxy_pass http://backend.int/;
}
}
The problem is that Set-Cookie response headers contain ;...
- 1,193
26
votes
3
answers
154k
views
Can subdomain.example.com set a cookie that can be read by example.com?
I simply cannot believe this is quite so hard to determine.
Even having read the RFCs, it's not clear to me if a server at subdomain.example.com can set a cookie that can be read by example.com.
...
- 480
16
votes
4
answers
45k
views
haproxy: how to prepare a server maintenance without kicking app sessions?
The issue
I'm using haproxy to load balance web servers. I use session persistence with additional cookies as some applications use session files and these are not synchronized between servers.
I ...
- 2,052
11
votes
3
answers
62k
views
Add samesite to cookies using Nginx as reverse proxy
With Nginx as reverse proxy, how do you add samesite=strict or samesite=lax to cookies?
- 213
11
votes
2
answers
18k
views
Nginx - Serve static content from a cookieless domain
I'm using the "page speed" extension for Firebug to try to optimise a website and I'm currently working on the following suggestion: "Serve static content from a cookieless domain".
I have created a ...
- 4,307
10
votes
8
answers
478
views
Servers harrassed by individual on constantly changing IPs
We run a community product. There is an individual (a little PoS kid) in the UK that is harassing our site for the last 6 months. His daily task is to create a new account, post a bunch of illegal / ...
Arronsky2
9
votes
2
answers
16k
views
Is there a way to configure HAProxy to send traffic based on a cookie?
When configuring HAProxy, I would like to send traffic to certain servers based on the presence of a cookie.
For example:
There is a HAProxy server and 2 web servers (serverA and serverB).
When ...
King
9
votes
1
answer
8k
views
Date header returned by IIS7 is wrong
I am serving an ASP.NET application from IIS 7 but we are experiencing some weird cookie issues. The code works fine in other environments so we are assuming this is specific to this server (related ...
7
votes
2
answers
15k
views
How can I force Apache to not set cookies for subdomain?
I've set up a specific subdomain on my server for static content -- images.example.com
I'd like to configure Apache to never let cookies be set on that domain. But I'm not sure where/how to do that. ...
Eric
7
votes
2
answers
903
views
How cookies work with non persistance load balencers
We have a Drupal application that uses sso to log users in.
We are using AWS classic load balancers (ELB), AWS is telling us that there is no session persistence on the ELB.
What I am trying to ...
- 424
6
votes
2
answers
8k
views
How to make Varnish ignore, not delete cookies
I want to use Varnish to cache certain pages even in the presence of cookies. There are 3 possibilities that I need to take care of:
An anonymous user is viewing some page
A logged in user is viewing ...
- 622
5
votes
3
answers
31k
views
Leverage proxy caching with nginx by removing Set-Cookie header
The following is a result of a bug within WebKit's Dev Tools used by Google Chrome and Apple's Safari. I have made a bug report with CrBug, who then identified the regression within WebKit Changeset ...
- 660
5
votes
1
answer
6k
views
Configuring multiple ProxyPassReverseCookiePath in Apache HTTP
I have a server with an Apache reverse proxy in front. The server machine contains 2 web applications running under:
localhost:8000/app and exposed as my.url.com/app1
localhost:8001/app and exposed ...
- 211
5
votes
2
answers
17k
views
How to add recently set cookies to nginx's access log
I'd like to include cookie data in an nginx access log like so:
(simplified example)
log_format foo '$remote_addr "$request" $cookie_bar';
access_log /var/log/nginx/access.log foo;
This works great ...
- 201
5
votes
2
answers
19k
views
Apache mod_header rule to change all cookies to secure
I would like to change all cookies to be secure and http-only. It works fine for one cookie, but doesn't work when multiple cookies are set in response.
Apache mod_header rule should change cookies ...
- 171
5
votes
1
answer
3k
views
Cannot get IIS7 to send cookies to IE
I have a web application that I have created that uses the basic asp.net authentication. The authentication systems are working fine code-wise, however I cannot get IIS7 to send the cookies to IE web ...
- 306
5
votes
1
answer
12k
views
Problems setting a cookie from a machine proxied by nginx
For a project of mine, I need to wire up a long chain of machines that are essentially proxying the HTTP requests for each other. It goes like this:
Web client - A - B/C - D
When a request is made ...
- 151
4
votes
5
answers
590
views
Mitigating the 'firesheep' attack at the network layer?
What are the sysadmin's thoughts on mitigating the 'firesheep' attack for servers they manage?
Firesheep is a new firefox extension that allows anyone who installs it to sidejack session it can ...
- 275
4
votes
1
answer
17k
views
What is the difference between http_cookie and cookie_name in Nginx?
I want to add remote ip as a Cookie in Nginx, so that it can be passed on to AWS Load Balancer for Load balancer stickiness.
location / {
proxy_set_header Cookie "$http_cookie; ip=$remote_addr";
...
4
votes
1
answer
6k
views
Setting the secure flag on cookies from Outlook Web Access
I'm running Exchange 2007 SP3 which is exposing outlook web access over only HTTPS. However the server delivers the sessionid cookie without the secure flag set. Even though I don't have port 80 open, ...
- 427
4
votes
1
answer
17k
views
Does apache have a limit to cookie size?
A application bug caused us to set a cookie that's too large.
Clients get an error that happens prior to our application being executed (mod_python).
Are there any adjustable limits within apache ...
- 231
4
votes
1
answer
8k
views
Cookie Authentication in Apache
I'm trying to set up a reverse proxy in Apache. The user will be required to log in, and will then be sent a cookie. I want Apache to check the cookie. Is there a way to do this?
EG, right now my ...
- 143
4
votes
1
answer
42k
views
Nginx proxy cookies not set
Here's my situation, I have a Rails 4 app that can be accessed by multiple domains, depending on the domain, the content changes.
Say the main domain is domain1 and all the other domains just use ...
- 242
4
votes
2
answers
3k
views
non-www domains prevent hosting of static content on the same domain, correct?
Flaw to using non-www domain a canonical?
I love the idea of short, clean urls like example.com over www.example.com, and certainly whichever one is used should redirect to the other. However, as I ...
- 1,288
4
votes
2
answers
7k
views
Http-Only cookies in WebLogic: what versions support them/how and why are they supported?
We want to make all cookies set by our webapp http-only. I only have a basic understanding of the benefits of doing this but I'm told by security people that it's a Good Thing (tm) Our app is running ...
John
3
votes
2
answers
181
views
Where can I report an issue with ASP.NET Browsers File?
While working with an ASP.NET application on Chrome for Android I discovered that Request.Browser.Cookies returns False for that browser (despite the browser supporting cookies). Based on what I've ...
- 240
3
votes
2
answers
3k
views
Nginx reverse proxy - remove "Secure" from cookies
For the sake of development I need to make NGINX drop "Secure" flag from cookie headers.
Set-Cookie:XSRF-TOKEN=zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzz; Path=/; Secure
should become
Set-Cookie:XSRF-TOKEN=...
- 140
3
votes
1
answer
748
views
Apache mod_cache: Strip/ignore (only) Google Analytics cookies
Varnish has the possibility to strip certain cookies from the request before deciding if a request is non-cachable because it contains cookies. Is there such a thing for Apache's mod_cache?
Consider ...
- 1,978
3
votes
0
answers
2k
views
CloudFront + S3 Access Denied Using Signed Cookies
I'm trying to integrate signed cookies for a CloudFront distribution that's fed off of an S3 bucket but getting access denied error messages:
<Error>
<Code>AccessDenied</Code>
...
- 31
3
votes
1
answer
705
views
haproxy maxconn and cookie sessions
i have any instances under an haproxy loadbalancer. i am using the haproxy cookies to make each client connect to the same server troughout his whole session.
now the thing is, I would like to setup ...
- 143
2
votes
1
answer
8k
views
how to check the value of a cookie in varnish
I have a cookie for language. I want to check if this cookie is set and to check its value to redirect the user to specific page.
the cookie name is Lang and its value might be En,Fr,or Ar
if (req....
- 638
2
votes
1
answer
2k
views
PRUM_EPISODES cookie
We have noticed an unusual cookie in our logs:
PRUM_EPISODES=s=1379338025465&r=http%3A//www.example.com/demo.html
I presume it's a 3rd party control on our site which creates this. Does anyone ...
- 161
2
votes
2
answers
7k
views
.htaccess - Remove all cookies
I want to make an existing domain a "CDN" domain that serves all images, CSS and JS files (i.e. static files). However that domain was parked earlier and some application on that domain has set ...
- 3,926
2
votes
1
answer
1k
views
Does PHP *have* to serialize/unserialize session data between each HTTP request? Or is there a setting just to keep sessions in memory?
I think I understand why sessions are evil but for snappy client user experience I don't want to have to re-query the database on each HTTP request. (As a comparision, Java servlets can effortlessly ...
- 281
2
votes
1
answer
8k
views
Nginx preventing cookie from being sent from front to back end
I'm running a Golang back end on port 12345 and an Angular front end on port 8080. They communicate via websockets on a page called /consultation. When I open the firewall for both ports and have them ...
- 141
2
votes
1
answer
5k
views
GPO - Block 3rd party cookies for IE 8
I am trying to find some settings in GPOs that explicitly say, "Block 3rd Party cookies" in IE. I am looking under policies>admin template>windows components>IE> IE control panel>Security page. ...
- 1,680
2
votes
6
answers
7k
views
How to cache websites using Varnish, PHP and Cookies
I consider starting using Varnish on my websites. I just tried out Varnish and I am wondering how to cache pages even if I my websites uses cookies, for Google Analytics. I am trying to remove them ...
- 125
2
votes
1
answer
763
views
Where does Chrome fetch my identity from after having deleted cookies?
I'm trying to figure out where does Google CHrome fetch my identity from when authenticating to an Identity Provider (SAML with certificate authentication)
What I have tried :
Delete all cookies, ...
- 292
2
votes
1
answer
18k
views
Set "Secure Flag" on Cookies for Only One (of many) Virtual Host on Apache
I'm hosting a number of sites on a single VPS (Debian Jessie, Apache 2.4). One of these sites forces HTTPS. On this and only this site, I would like to set the "Secure Flag" for cookies. I've found ...
2
votes
0
answers
2k
views
Cookies aren't being set/overwritten through nginx reverse proxy
For some reason, when I'm proxying my API request through an nginx reverse proxy, my cookies aren't being overwritten with the new values. I've tried adding the following to my nginx config, but I'm ...
- 121
2
votes
0
answers
929
views
Cookie Secure Flag not persistent
I'm trying to implement a Secure flag for all cookies. I'm doing this via Headers.
Here's how I did it:
Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
It ...
- 2,006
2
votes
1
answer
2k
views
Varnish - Allow specific cookies for the backend?
I am trying figure out how to allow the backend to see tracking cookies on specific registration pages but ignore them on others. Currently, I'm trying to use a custom header sent from the backend to ...
- 21
2
votes
2
answers
989
views
Bad Request Due to "Bad" Cookie
I have a web site under a domain, where the main domain is using Google Analytics which sets a cookie named __utmva which is value is part binary.
As far as I can tell passing this cookie to IIS ...
- 176
2
votes
0
answers
281
views
Vanilla .Net 4.0 website cannot identify some AppleWebKit based browsers
We are seeing some Safari browsers failing to cross-authenticate our website after we upgrade to .net 4.0 from .net 3.5.
After much investigation, it turns out to be a problem with ASP.Net ...
- 21
1
vote
5
answers
14k
views
Can not Login to phpmyadmin "Cookies must be enabled past this point"
I am having some trouble getting into phpmyadmin when trying to login. The only error that comes up is "Cookies must be enabled past this point"
I have checked my browser setting to allow cookies. ...
- 115
1
vote
2
answers
5k
views
How to configure cookieless virtual host in Apache2?
We run over a hundred web applications (growing daily) on a LAMP stack using Apache2 on Ubuntu 10.04.
We've would like all requests to static content to be cookieless.
We host applications on many ...
- 323
1
vote
2
answers
2k
views
Check HTTP cookie value with nginx using map directive
I need to perform a redirect depending on the client's IP and the value that has been set in the cookie by WPML Wordpress plugin.
I prefer to use the map directive for this purpose.
Excerpt of nginx....
- 80
1
vote
1
answer
2k
views
Is there any difference between using a cookie and using a normal header in the case of HTTP communication?
I have a system consisting of a custom software and an HTTP server. The software will send some requests with some headers and the HTTP server will send response back.
Now I have some custom ...
- 195
1
vote
1
answer
3k
views
modsecurity whitelisting certian types of cookies
I am seeing cookies being generated on our server which appear to be from 3rd party objects in the site and don't show themselves when one logs in or navigates through the site.
The cookies are ...
- 217
1
vote
1
answer
499
views
Apache2 - Forward a value from URL param OR cookie, whichever is present
I managed to use apache to strip off a url param and stuff it in a header to be passed on to another server. See this question for reference.
Now I would like to add to this by getting the value for ...
- 223