0

I have an NGINX 1.11.10 and trying to manipulate the SameSite attribute of cookies. Looks like NGINX has an option

proxy_cookie_flags

However, this is only available in NGINX 1.19.3 and above.

How can I implement similar behaviour in 1.11.10 to manipulate all cookies, or specific cookies?

This is a similar configuration we have in Apache HTTPD.

# SameSite Cookie Configuration http://publib.boulder.ibm.com/httpserv/ihsdiag/_static/samesite-global.conf
# 1. Add SameSite=Strict and Secure if no SameSite found.
Header always edit Set-Cookie "^(?!.*(\s+|;)(?i)SameSite=)(.*)" "$0; SameSite=Strict; Secure" env=!SAMESITE_SKIP
Header onsuccess edit Set-Cookie "^(?!.*(\s+|;)(?i)SameSite=)(.*)" "$0; SameSite=Strict; Secure" env=!SAMESITE_SKIP
# 2. Remove duplicate SECURE flag (this keeps the above regex simpler)
Header always edit Set-Cookie "(.*(\s+|;)(?i)Secure(\s+|;).*) Secure$" "$1" env=!SAMESITE_SKIP
Header onsuccess edit Set-Cookie "(.*(\s+|;)(?i)Secure(\s+|;).*) Secure$" "$1" env=!SAMESITE_SKIP
# Why the duplication?  always is not a superset of onsuccess the way it should be.
hoz
  • 502
  • 2
  • 9
  • 25

1 Answers1

1

First of all (I know you were aware of this) please try to update NGINX to the latest version. Whats the reason for you using an old version like that?

However, the proxy_cookie_flags directive replaced an 3rd party module available here: https://github.com/AirisX/nginx_cookie_flag_module

If you can not update you are able to load this dynamic module and make it work.

Timo Stark
  • 2,721
  • 1
  • 10
  • 23
  • Thank you very much for the answer. We found another solution using proxy_cookie_path._______ proxy_cookie_path / "/; SameSite=Lax; HTTPOnly; Secure" – hoz Oct 12 '21 at 18:19