Jump to content

Leaked session data on nginx server

Recommended Posts


I manage a client website which use PW and Padloper for ecommerce.

We recently had an issue where customers were seeing other customers' baskets and prefilled form data on the checkout form.
From what I saw, the data was not users who had accounts, just data which was held in their sessions.

I think I have narrowed this down to being caused by nginx fast-cgi caching, but I do not know enough about how this works to be certain.

I have a couple of questions:

• Can fast-cgi cached cause session data to be shared, leaked or incorrectly assigned?
• Can fast-cgi cache provide authentication to unauthorised users?

I'm reasonably confident that the whole shop cart and checkout bypassed the cache, so is it possible that somebody could 'swap' sessions on a diffetent part of the site which shouldn't have been cached?

I don't have a great deal of knowlegde of how sessions, caching and cookies work and fit together, so if it's likely that the fastcgi-cache isn't the problem, can anyone point me in the direction of what might be?


Share this post

Link to post
Share on other sites

Hi @sodesign ,  interesting, did your issue is fixed ? if yes, how ? thanks;

And to answer the two questions :  Yes, but it should only do that if you tell NGINX to do it.


About the issue, and based on your post, it look like a cache issue where cookies has been cached.

The official statement say that by default, NGINX respects the Cache-Control headers from origin servers. It does not cache responses with Cache-Control set to Private, No-Cache, or No-Store or with Set-Cookie in the response header. This is the current behavior; 

I will add that before the version 0.8.44, the header was stripped then the request cached. 


All that to say that theses parameters can be overridden, and you should show us your NGINX config file before we go further.



  • Like 2

Share this post

Link to post
Share on other sites

Thanks for your reply @flydev 👊🏻

I have looked through our nginx config, and I can see the lines

fastcgi_ignore_headers Cache-Control Set-Cookie Expires;
fastcgi_pass_header Set-Cookie;
fastcgi_pass_header Cookie;
fastcgi_cache OPS-FASTCGI;
fastcgi_cache_valid 240m;
fastcgi_cache_bypass $no_cache;
fastcgi_no_cache $no_cache;

The $no_cache param is set based on the request uri, and I did notice one 'private' url had been missed from the exclusions at the time of the issue.

This really isn't my area of expertise, and we set up the config some time ago, inspired by Trellis (in wordpress land). I noticed someone questioned them about the inclusion of the fastcgi_pass_header Set-Cookie property (https://discourse.roots.io/t/nginx-caching-configuration-in-trellis/7056)

Would removing fastcgi_pass_header Set-Cookie be a good idea? Is there any reason this would need to be passed?

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...