1

I want to use the new cookie-prefixes, which are not yet standardized by the IETF. These are __Secure- and __Host-.

So let's e.g. set this cookie (here the header returned by the server):

Set-Cookie: "__Host-apple=yummy; Secure; HttpOnly; Path=/"

I want to access this cookie now in nginx with the $cookie- variable. So for testing I use the echo module to show me the value of the cookie:

location = /wannaeat/ {
        echo $cookie___Host-apple;
}

However nginx always shows me -apple. It seems to use the hyphen (-) to split the variable.

Because when I e.g. name the cookie __Host_apple (and the nginx variable $cookie___Host_apple) nginx shows me the value correctly.

I know I could probably use $http_cookie and use a regular expression to find the correct cookie, but this is not possible as I want to map the cookie value.

Community
  • 1
rugk
  • 466
  • 2
  • 6
  • 18
  • 3
    Currently cookie with dash could not be accessed via `$cookie_...` variable. You could extract it from `$http_cookie` variable (e.g. http://www.ur-ban.com/2012/03/18/logging-nginx-cookies-with-dashes/) or access it from Lua script (if your nginx built with Lua support). – Alexey Ten Jul 06 '16 at 13:47

1 Answers1

2

First of all, map does, in fact, support matching on regular expressions:

Source values are specified as strings or regular expressions (0.9.6).

(Thus you should probably be good to go!)

However, for the sake of discussion and commentary, since what you're attempting to use is not a standard yet, you better go to their mailing lists or whatnot, and tell them that what they're proposing to do is a really bad idea.

Just for the sake of it, I went to the Cookie Manager in my browser, to make a look at the use of _ the underscore versus - the shortest dash. The underscore is heavily used by at least 90% of sites/cookies, whereas dash usage within cookies is probably way below 5%.

The reason why - is not valid in variable names is very straightforward and is as old as day -- because the symbol is often used in pretty much all programming languages in place of the minus sign (dash, minus, mdash: -−—). In turn, as per re_format(7) and pcrepattern(3), this scenario is also part of the widely used regular expression implementations, where an underscore is always considered to be a part of a word, whereas a dash symbol is not.

I'd imagine the same issue will repeat itself in many other languages as well as with nginx.conf.

cnst
  • 12,948
  • 7
  • 51
  • 75
  • 1
    http://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0015.html – cnst Jul 07 '16 at 04:16
  • 1
    Hyphens in cookies are not entirely unheard of; e.g. https://gist.github.com/abersager/2244435 – Matty K Jul 07 '16 at 06:20
  • @cnst Thanks for commenting there. You could also have linked to this question as a practical example for a server software (& a stupid server admin ;) ), where one can encounter (/who has encountered) this issue. – rugk Jul 07 '16 at 14:42
  • @rugk, someone already did that in a reply; i, personally, like to avoid linking to SO, because it promotes monoculture. thanks for accept and presumably an upvote! :-) – cnst Jul 07 '16 at 14:47