Hello,
I have a reverse proxy setup on a website and I'm proxying logged in pages. Everything works except there is a vulnerability in my setup.
I login to the site and I can cache the pages. I share these pages with everyone else.
However there is a problem with how the set-cookie is passed onto the user when I just want nginx to keep it.
Is there a way to make nginx stay logged into the site, and hide the set-cookie passed onto the client?
I've tried: proxy_hide_header Set-Cookie;
but that just logs out the session and can no longer access the protected pages. When the set-cookie is passed onto the user they can save that cookie and load it up into their browser and be able to login and "hack" the account.
Is there a way to keep nginx logged in, without exposing the set-cookie?
I have a reverse proxy setup on a website and I'm proxying logged in pages. Everything works except there is a vulnerability in my setup.
I login to the site and I can cache the pages. I share these pages with everyone else.
However there is a problem with how the set-cookie is passed onto the user when I just want nginx to keep it.
Is there a way to make nginx stay logged into the site, and hide the set-cookie passed onto the client?
I've tried: proxy_hide_header Set-Cookie;
but that just logs out the session and can no longer access the protected pages. When the set-cookie is passed onto the user they can save that cookie and load it up into their browser and be able to login and "hack" the account.
Is there a way to keep nginx logged in, without exposing the set-cookie?