Nginx header HTTPOnly closing user sessions

Murilo Melo

4/11/24, 8:05 PM

I'm using an Nginx server to host an PHP web application, and tried to upgrade its security by using some security headers, I've tested it on a staging environment and it works fine, so I've decided to use the same config on Production, and after a week we had some trouble with many users reporting things like sessions getting closed when doing any request on the app.

So I've checked the logs, other configs and nothing worked. Then, I've removed the add_header Set-Cookie "Path=/; HttpOnly; Secure" and the application started working again.

Below are the current configuration on Staging, and except for the above directive, it's the same thing on Production

#Secure flag for Cookies
add_header Set-Cookie "Path=/; HttpOnly; Secure";
#XSS Protection
add_header X-XSS-Protection "1; mode=block";
#Clickjacking Protection
add_header X-Frame-Options "SAMEORIGIN";
#Check MIME type for files
add_header X-Content-Type-Options nosniff;

Any clues on why do nginx is closing user sessions when I use it?

233

1 + 0

php

nginx

session

Score:1

Server

Hawshemi

4/18/24, 11:50 AM

In the Set-Cookie header, the HttpOnly flag directs the browser to block client-side scripts from accessing the cookie. It is a security feature that can aid in the prevention of XSS attacks. However, because it is a client-side functionality, it should not be the source of the problem you are experiencing.

When you use the HttpOnly setting, your application sessions may be closed for a variety of reasons. One possibility is that the server is failing to set the Secure flag in the Set-Cookie header correctly. The Secure setting instructs the browser to send the cookie only over a secure HTTPS connection, which is critical for securing sensitive data.

Another possibility is that the Path value in the Set-Cookie header is incorrectly set. The Path value defines the server path where the cookie is valid. If the path is erroneously specified, the cookie may not be transmitted with subsequent requests, resulting in the session being lost.

It is also conceivable that the session is being ended due to a bug or misconfiguration in your application code. You should look over your application code to determine if there are any flaws that could be causing the issue.

In conclusion, the HttpOnly flag should not be causing any problems with your session. Check sure the Secure and Path settings in the Set-Cookie header are appropriately set, then analyze your application code for any errors that could be causing the session to be closed.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Nginx header HTTPOnly closing user sessions

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.