How can i handle session cookie setting to then use it with NGINX auth_request?

Question

We are trying to implement a simple authentication mechanism using NGINX as a proxy server and auth_request to protect some static files.

• The static documents are in docs.mydomain.com
• The API to generate a session token with an email/password is in login.otherdomain.com (It will return a JSON with the email and session token)

The current process to authenticate looks like this:

1. When users try to access docs.mydomain.com, they will be presented with a login form. There, they enter their credentials, the email/passwd will be then sent through AJAX and the API will give us an session token, and we store it in a cookie, something like this (also noticed that in login.otherdomain.com i have enabled authentication).

   $("form").submit(function( event ) {
     $.ajax({
       async: false,
       url: "http://login.otherdomain.com/api/user_sessions",
       method: "POST",
       data: {
              user_sessions:
              {
                email: $("#email").val(),
                password: $("#password").val(),
              }
             },
       success: function(resp_hash) {
             $("form").reset() // Clearing form so email/pwd is not sent in POST request
             document.cookie = "x_api_session_id="+resp_hash.user_sessions.id;
            }
      });
    });
   

2. Then the form is actually sent (using GET), and you can see the cleared fields in the request (email & password) which looks kinda ugly. The request is sent to docs.mydomain.com/docs which will check session token against the login.otherdomain.com and verify if it's still valid, all this using nginx auth_request (https://developers.shopware.com/blog/2015/03/02/sso-with-nginx-authrequest-module/). Something like this:

   location /docs {
       auth_request /auth;
   }
   
   location = /auth {
       internal;
       proxy_pass $auth_api;
       proxy_pass_request_body off;
       proxy_set_header Content-Length "";
       proxy_set_header X-Original-URI $request_uri;
       proxy_set_header X-Api-Session-Id $cookie_x_api_session_id;
   }
   

And then the docs are displayed. We still need to implement a clean handling of the error messages, but this works to begin with. Still, it feels ugly (specially the AJAX request to get the session token) and i think there should be a better way to do this. Any ideas of how could this be improved? Are there security implications on the way we are trying to implement this?

Answer 1

I had the same requirements a few days ago for accessing private services in a cluster and I come up with a similar solution. I implemented a simple authentication server with an AJAX request on client side to authenticate and get the session token.

In terms of security, as far as the request goes through HTTPS, everything should be OK. What I was concerned about however was the weak authentication system itself, it was a simple LDAP bind operation... I decided to set up a two-factor authentication with TOTP and it solved a big part of my concerns. It is secure enough for me to avoid a majority of attacks, or at least until quantum computers come up!

Hope it helped!