mod-security allowing only one set-cookie

Question

Has anyone run into the problem of mod-security only allowing one set-cookie through a proxy request response? We are using nginx with mod-security and seeing all but the last set-cookie be removed by nginx on the response from our application server. We are applying the mod-security in the location section

    location ~* ^/(test|securitytest|$) {

      ModSecurityEnabled on;
      ModSecurityConfig modsecurity.conf;
      create_full_put_path   on;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-NginX-Proxy true;
      proxy_pass http://app;
      proxy_read_timeout 10;
      proxy_redirect off;
    }

score 1 · Answer 1 · answered Oct 24 '13 at 15:43

1

there was a bug in modsecurity+nginx that was dropping all except one cookie for each request. It was fixed, have a look at:

https://github.com/SpiderLabs/ModSecurity/issues/154

answered Oct 24 '13 at 15:43

zimmerle

11
1

We actually fixed the issue locally and submitted a pull request. It looks like someone else got it first which is great. – Doug Mar 07 '14 at 19:18

mod-security allowing only one set-cookie

1 Answers1