search

bungle / lua-resty-session

Session library for OpenResty – flexible and secure
BSD 2-Clause "Simplified" License
320 stars 111 forks source link

Cookies are always not "secure" #5

Closed vladimir-smirnov-sociomantic closed 9 years ago

vladimir-smirnov-sociomantic commented 9 years ago

Hi,

I've got some problems (maybe related to my setup, not to the plugin), but even when using server with ssl, session cookies don't have "Secure" flag (ngx.var.ssl_session_id is always nil).

I've tried Nginx both 1.6.2 and 1.7.7 with lua-nginx-module 0.9.12 and 0.9.13 installed. ngx_devel_kit is latest 0.2.19.

bungle commented 9 years ago

Obviously, you have made request using SSL/TLS?

bungle commented 9 years ago

I just tried with normal http (not TLS/SSL) and I did this in Nginx config:

set $session_cookie_secure     on;

Then I did run the demo (that is documented in readme).

I got this on the browser:

Set-Cookie:session=j1XS0kzcpVr4V1ck89P9Zw..|1417025899|Lpy2N9ZGuDDNcOFa_FWfuoZXdIdWGe5M4rG5Zxl0obI.|dC9UfCPAN0CRBsyOOmy33E9xusY.; Path=/; Secure; HttpOnly

Obviously the client didn't send it back (with unsecure HTTP) because there was Secure flag in the cookie.

bungle commented 9 years ago

I have to test this also with SSL/TLS to see how ssl_session_id behaves. It should be there.

vladimir-smirnov-sociomantic commented 9 years ago

I'm doing it with https (self-signed for testing, but I've tried with normal cert). Yeah, I haven't set "session_cookie_secure" but on purpose, to have autodetection working. but it seems that nginx for some reasons fails to pass ssl_session_id to the Lua. At least my build of it (I've built it with ngx_devel_kit, also using luajit-2.1 from git, commit date somewhere near 15th Nov 2014).

vladimir-smirnov-sociomantic commented 9 years ago

Maybe it's something wrong with my nginx, or nginx's settings, but I can't find what exactly. But from lua I can't get any info from 'ngx.var.ssl_*' variables (it's always nil).

bungle commented 9 years ago

Hi,

Now I did remove that:

set $session_cookie_secure     on;

from Nginx config. I quickly created self-signed certificate and then requested the site with https://localhost:4433/

I modified the demo a little bit:

session.data.name = "OpenResty Fan"

to

session.data.name = "OpenResty Fan " .. ngx.var.ssl_session_id

Everything else left as default.

I got cookie:

Set-Cookie:session=FhtZBPof7_z0OO9QuX0_Eg..|1417026716|dvqg0CaQ19tz1rl0lP1EmdPzHPuz6TSwEXIMa6EHnjKnCB56eF9lwpv4OZBLDbvZAuZBGKBrk5sFB4tjZTf5Syg7uqhgQw4QcL58NJx4GVLR3cLdQOSCm2ggO55YU6sc|kZnUtPaIcIfnuQJnUrAwxY79itQ.; Path=/; Secure; HttpOnly

Then I also got this message on /test page:

Session was started by OpenResty Fan 958d5c8576ce0aff879797109d92a6f5e6c88fe0eda2fb8c6b17b1a37da98dfa! Destroy the session.

I also tried to refresh that page many times. And also destroying etc. worked correctly.

Please note that I released today version 1.4 version of lua-resty-session. Please use that. This bug might be releated to issues fixed in 1.4.

Regards Aapo

bungle commented 9 years ago

Also. nginx ssl_session_timeout is affecting this (on my machine it was by default 5 min - making sessions invalid after that period).

bungle commented 9 years ago

I also did get error about nil ngx.var.ssl_session_id now. It seems to trigger somehow, but I do not know why or when, yet. I think it has to do with nginx configs. Try to add these to your nginx ssl configs:

ssl_session_cache shared:SSL:100m;
ssl_session_timeout 60m;
bungle commented 9 years ago

I added some notes here as well: https://github.com/bungle/lua-resty-session#nginx-configuration-variables

vladimir-smirnov-sociomantic commented 9 years ago

Strange thing is, that I'm still getting "nil", always even in simple lua_access_page:

ngx.log(ngx.DEBUG, "ngx.var=", ngx.var.ssl_session_id)
return ngx.exit(ngx.HTTP_OK)
bungle commented 9 years ago

Can you show you ssl_* nginx configs? Are you using spdy or normal HTTPS?

bungle commented 9 years ago

Hi, I found this: https://www.marshut.net/ksviqk/nginx-lua-nginx-get-ssl-session-id.html

Can you try adding this: ssl_protocols SSLv3;

So it seems to be a problem related to TLS/SSL. I will look that can we use TLS tickets here in case SSL session id is missing.

bungle commented 9 years ago

Ah, it was you asking it, ;-). Nice and fast Google indexing.

bungle commented 9 years ago

You could also try to add: ssl_session_tickets off;

Also, check this out: https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/

For PFS to work, you need to disable session tickets.

vladimir-smirnov-sociomantic commented 9 years ago

Yeah, disabeling session_tickets helped. Thanks!

bungle commented 9 years ago

I'm glad it helped. Still, this feels like a workaround, and not a solution (for tickets there doesn't seem to be variable or anything that is equivalent to ssl_session_id.

I will change the code to read default value for secure flag from a more reliable source (it was convenient to read it from single variable, but that is not reliable as shown).

bungle commented 9 years ago

I just released version 1.5 where we do use a more reliable way to auto detect Secure flag for the cookie. I also adjusted a code a little bit to work in scenarios where some nginx variable could be nil, like ngx.var.ssl_session_id in this case. Let's see what the future brings here if we can also get this added security that ssl_session_id provides for the TLS tickets as well (but there are no ways for that currently that I know of). Mind that the ssl_session_id is not mandatory when we have support for server side session storages (it mainly protects the client side session storage). I'm closing this now.