Questions[cookies](server)

I have a simple nginx reverse proxy:

server {
  server_name external.domain.com;
  location / {
    proxy_pass http://backend.int/;
  }
}

The problem is that Set-Cookie response headers contain ;Domain=backend.int, because the backend does not know it is being reverse proxied.

How can I make nginx rewrite the content of the Set-Cookie response headers, replacing ;Domain=backend.int with ;Domain=external.domain.com?

Passing the Host header unchanged is not an option in this case.

Apache httpd has had this feature for a while, see ProxyPassReverseCookieDomain, but I cannot seem to find a way to do the same in nginx.

I am serving an ASP.NET application from IIS 7 but we are experiencing some weird cookie issues. The code works fine in other environments so we are assuming this is specific to this server (related question).

We have been looking at the http headers returned and someone pointed out that the date http header is showing the 1st of Jan rather than today's date (so far it always shows that date regardless of what the current date is). The system clock is set correctly (and we can print out the current time/date via DateTime.Now correctly as well) so we can't work out why it's now working. Does anyone have any ideas? Is this a red-herring?

Thanks, James

I'm using the "page speed" extension for Firebug to try to optimise a website and I'm currently working on the following suggestion: "Serve static content from a cookieless domain".

I have created a separate sub-domain for some content so that I have www.example.com and images.example.com but how do I specify that images.example.com is cookieless? Can I enforce that it is cookieless in a webserver such as Nginx or Apache or is it simply a matter of making sure not to set any cookies in this domain in the serverside code (e.g. PHP)?

The reason why I'm asking is because "Page Speed" is still showing the same recommendation even after I tried to fix it - so I guess some cookies must have slipped through. I can't see any cookies in my browser cookie search but if I examine the HTTP headers of the resource I can see:

Cookie  __utma=73051794.676740941.1271792323.1277710025.1277900715.20; __utmz=73051794.1271792323.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmx=73051794.00009825591030858779:3:0; __utmxx=73051794.00009825591030858779:2295429:2592000; __gads=ID=0a768e3407302ff8:T=1272608001:S=ALNI_MZ-GKhg3ETniU0TVftk0DdGyUypkQ

Anyone know how I can stop cookies from my sub-domain?

I simply cannot believe this is quite so hard to determine.

Even having read the RFCs, it's not clear to me if a server at subdomain.example.com can set a cookie that can be read by example.com.

subdomain.example.com can set a cookie whose Domain attribute is .example.com. RFC 2965 seems to explicitly state that such a cookie will not be sent to example.com, but then equally says that if you set Domain=example.com, a dot is prepended, as if you said .example.com. Taken together, this seems to say that if example.com returns sets a cookie with Domain=example.com, it doesn't get that cookie back! That can't be right.

Can anyone clarify what the rules really are?

We run a community product. There is an individual (a little PoS kid) in the UK that is harassing our site for the last 6 months. His daily task is to create a new account, post a bunch of illegal / inflammatory content, get a rise out of people, then get deleted within a few hours by an admin. Then repeat.

His IP address changes every time he creates a new account (either using a proxy or some other similar tool). The only commonality is the top level 92.x.x.x. We've tried contacting UK authorities... while they are interested, they have not provided anything actionable. Meanwhile, this harassment continues daily.

Anyone have experience on how to kill this off? I'm pretty much at my wit's end here and hoping someone who has dealt with this before can provide some guidance.

Thx in advance.