Redirecting Users to Specific Files With Cookies

Question

Might be a dumb question, but I hope someone can explain it to me in a simple way for a beginner to understand.

Say I had a file only logged in users to my WordPress site are allowed to access. If I use a variable in nginx to redirect logged in users to that file based on the presence of the logged in cookie, such as:

if ($http_cookie ~* "(wordpress_logged_in_)") {
return blah
}

Would that be a proper, safe, or acceptable use or no?

I'd recommend to migrate the question to https://security.stackexchange.com/ . — Pothi Kalimuthu, Jun 27 '21 at 05:29
https://nginx.org/en/docs/http/ngx_http_secure_link_module.html may give an idea what is possible with Nginx. — Pothi Kalimuthu, Jun 28 '21 at 04:06

score 0 · Answer 1 · answered Jun 27 '21 at 09:50

It's possible I don't properly understand the question; but theoretically you shouldn't be using the presence of a cookie to determine whether the user is logged in, you should be using an encrypted (access-token) value within the cookie - that only the server can decrypt, to allow you to know that the user is (still) logged in and even what roles (if not possibly also what 'claims' they have in relation to 'authorisation' and when the session/access-token will expire), aka an 'authentication' (& 'log out'/end-session) process, ideally one that is OAuth v2 based if not also (ideally) supporting OIDC(/OID-C/'Connect') too.

@JohnDeere If an answer is helpful, please upvote it! https://serverfault.com/help/someone-answers — Pothi Kalimuthu, Jun 28 '21 at 04:02

Redirecting Users to Specific Files With Cookies

1 Answers1