This is a complete demo of 2 different cookie security techniques:
- Cookie jar - NGINX Plus stores new cookies in the key-value store and issues the client an opaque reference to access them
- Signed cookies - NGINX creates signatures for all new cookies and validates that presented cookies match the signature
Requires NGINX Plus with JavaScript module (njs 0.5.1+)
NGINX is configured as a reverse proxy to an "Random Emoji App". On first access, the app will produce an emoji, and send cookies for session state. Repeat visits will show the same cookie.
- By default, all requests will send cookies directly to the client, in the normal manner.
- Requests to
/jar
will keep session state in the key-value store, the client receives a single reference cookie - Requests to
/sign
will send an additional cookie (sig.
prefix) with a cryptographic signature that must be present with future client requests