Cookies are always not "secure"
vladimir-smirnov-sociomantic opened this issue · 17 comments
Hi,
I've got some problems (maybe related to my setup, not to the plugin), but even when using server with ssl, session cookies don't have "Secure" flag (ngx.var.ssl_session_id is always nil).
I've tried Nginx both 1.6.2 and 1.7.7 with lua-nginx-module 0.9.12 and 0.9.13 installed. ngx_devel_kit is latest 0.2.19.
Obviously, you have made request using SSL/TLS?
I just tried with normal http (not TLS/SSL) and I did this in Nginx config:
set $session_cookie_secure on;
Then I did run the demo (that is documented in readme).
I got this on the browser:
Set-Cookie:session=j1XS0kzcpVr4V1ck89P9Zw..|1417025899|Lpy2N9ZGuDDNcOFa_FWfuoZXdIdWGe5M4rG5Zxl0obI.|dC9UfCPAN0CRBsyOOmy33E9xusY.; Path=/; Secure; HttpOnly
Obviously the client didn't send it back (with unsecure HTTP) because there was Secure flag in the cookie.
I have to test this also with SSL/TLS to see how ssl_session_id behaves. It should be there.
I'm doing it with https (self-signed for testing, but I've tried with normal cert). Yeah, I haven't set "session_cookie_secure" but on purpose, to have autodetection working. but it seems that nginx for some reasons fails to pass ssl_session_id to the Lua. At least my build of it (I've built it with ngx_devel_kit, also using luajit-2.1 from git, commit date somewhere near 15th Nov 2014).
Maybe it's something wrong with my nginx, or nginx's settings, but I can't find what exactly. But from lua I can't get any info from 'ngx.var.ssl_*' variables (it's always nil).
Hi,
Now I did remove that:
set $session_cookie_secure on;
from Nginx config. I quickly created self-signed certificate and then requested the site with https://localhost:4433/
I modified the demo a little bit:
session.data.name = "OpenResty Fan"
to
session.data.name = "OpenResty Fan " .. ngx.var.ssl_session_id
Everything else left as default.
I got cookie:
Set-Cookie:session=FhtZBPof7_z0OO9QuX0_Eg..|1417026716|dvqg0CaQ19tz1rl0lP1EmdPzHPuz6TSwEXIMa6EHnjKnCB56eF9lwpv4OZBLDbvZAuZBGKBrk5sFB4tjZTf5Syg7uqhgQw4QcL58NJx4GVLR3cLdQOSCm2ggO55YU6sc|kZnUtPaIcIfnuQJnUrAwxY79itQ.; Path=/; Secure; HttpOnly
Then I also got this message on /test page:
Session was started by OpenResty Fan 958d5c8576ce0aff879797109d92a6f5e6c88fe0eda2fb8c6b17b1a37da98dfa! Destroy the session.
I also tried to refresh that page many times. And also destroying etc. worked correctly.
Please note that I released today version 1.4 version of lua-resty-session. Please use that. This bug might be releated to issues fixed in 1.4.
Regards
Aapo
Also. nginx ssl_session_timeout is affecting this (on my machine it was by default 5 min - making sessions invalid after that period).
I also did get error about nil
ngx.var.ssl_session_id
now. It seems to trigger somehow, but I do not know why or when, yet. I think it has to do with nginx configs. Try to add these to your nginx ssl configs:
ssl_session_cache shared:SSL:100m;
ssl_session_timeout 60m;
I added some notes here as well:
https://github.com/bungle/lua-resty-session#nginx-configuration-variables
Strange thing is, that I'm still getting "nil", always even in simple lua_access_page:
ngx.log(ngx.DEBUG, "ngx.var=", ngx.var.ssl_session_id)
return ngx.exit(ngx.HTTP_OK)
Can you show you ssl_* nginx configs? Are you using spdy or normal HTTPS?
Hi, I found this:
https://www.marshut.net/ksviqk/nginx-lua-nginx-get-ssl-session-id.html
Can you try adding this:
ssl_protocols SSLv3;
So it seems to be a problem related to TLS/SSL. I will look that can we use TLS tickets here in case SSL session id is missing.
Ah, it was you asking it, ;-). Nice and fast Google indexing.
You could also try to add:
ssl_session_tickets off;
Also, check this out:
https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
For PFS to work, you need to disable session tickets.
Yeah, disabeling session_tickets helped. Thanks!
I'm glad it helped. Still, this feels like a workaround, and not a solution (for tickets there doesn't seem to be variable or anything that is equivalent to ssl_session_id.
I will change the code to read default value for secure flag from a more reliable source (it was convenient to read it from single variable, but that is not reliable as shown).
I just released version 1.5 where we do use a more reliable way to auto detect Secure
flag for the cookie. I also adjusted a code a little bit to work in scenarios where some nginx variable could be nil
, like ngx.var.ssl_session_id
in this case. Let's see what the future brings here if we can also get this added security that ssl_session_id
provides for the TLS tickets as well (but there are no ways for that currently that I know of). Mind that the ssl_session_id
is not mandatory when we have support for server side session storages (it mainly protects the client side session storage). I'm closing this now.