Hello! On Mon, Feb 15, 2016 at 01:29:01AM -0500, nitin wrote:
> Thanks for reply. > In case client is just a browser then it will send all the cookies with NGIX > domain which means that NGIX will send all the cookies to backend server > irrespective of who initially set it in set-cookie header.. This could be a > security issue then. For sure - if you are using untrusted backend servers in your domain this can be a security issue. Regardless of what nginx does, actually - just Set-Cookie may be enough to be an issue. Moreover, any javascript returned by a backend server will be able to read all cookies as well. Of course this should be considered when using multiple backend servers within a single domain. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
