Permalink
Browse files

secret len should be 32 bytes or more, insecure "none" config deprecated

  • Loading branch information...
kyprizel committed Nov 29, 2015
1 parent fa546e2 commit eb8ae55a247c018a9c66344c092b5939e3431ee6
Showing with 16 additions and 6 deletions.
  1. +3 −0 Changelog
  2. +1 −2 README
  3. +3 −3 README.markdown
  4. +9 −1 src/ngx_http_testcookie_filter_module.c
@@ -1,3 +1,6 @@
v1.18
*) Secret len now should be more than 31 bytes
v1.17
*) Secure flag can be operated with variables
3 README
@@ -30,10 +30,9 @@ DIRECTIVES
cookie path, useful if you plan to use different keys for locations. default is /
testcookie_secret
secret string, used in challenge cookie computation,
secret string, used in challenge cookie computation, should be 32 bytes or more,
better to be long but static to prevent cookie reset for legitimate users every server restart.
if set to "random" - new secret will be generated every server restart, not recomended(all cookies with previous key will be invalid),
if not set, only value based on testcookie_session will be used.
testcookie_session
sets the challenge generation function input,
@@ -75,13 +75,13 @@ testcookie_secret
-----------------
**syntax:** *testcookie_secret <string>*
**default:** *none*
**default:** *required configuration directive*
**context:** *http, server, location*
Secret string, used in challenge cookie computation, better to be long but static to prevent cookie reset for legitimate users every server restart.
Secret string, used in challenge cookie computation, should be 32 bytes or more,
better to be long but static to prevent cookie reset for legitimate users every server restart.
If set to *"random"* - new secret will be generated every server restart, not recomended(all cookies with previous key will be invalid),
If not set, only value based on testcookie_session will be used.
testcookie_session
------------------
@@ -1,5 +1,5 @@
/*
v1.17
v1.18
Copyright (C) 2011-2015 Eldar Zaitov (eldar@kyprizel.net).
All rights reserved.
@@ -1887,10 +1887,18 @@ ngx_http_testcookie_secret(ngx_conf_t *cf, void *post, void *data)
{
ngx_str_t *secret = data;
if (secret->len < MD5_DIGEST_LENGTH*2) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"Secret value is too short, should be 32 bytes or more\n");
return NGX_CONF_ERROR;
}
/*
if (ngx_strcmp(secret->data, "none") == 0) {
secret->len = 0;
secret->data = (u_char *) "";
}
*/
#ifdef REFRESH_COOKIE_ENCRYPTION
if (ngx_strcmp(secret->data, "random") == 0) {

0 comments on commit eb8ae55

Please sign in to comment.