how to add expires/max-age to cookie instead of setting it at Expires/Cache-control header.

[RamirezTuco]

Hi,

We are the module nginx-secure-token-module and generating the CDN tokens as cookies.
However, the cookie set does not have any expires or max-age set, and browser interprets it as a session cookie.

Below is the header generated by the module.

Set-Cookie: hdnea=st=1614781275exp=1614867675acl=/*~hmac=c1234f5a6efb7b890ae10d3f45678ce90cc1b2345c6c3fc7bb89ebe01e23456c

We are looking for something so that we can change the Expires/Max-age in the cookie, like

Set-Cookie: hdnea=st=1614781275exp=1614867675acl=/*~hmac=c1234f5a6efb7b890ae10d3f45678ce90cc1b2345c6c3fc7bb89ebe01e23456c; max-age=3600; expires=1614867675

It seems 'secure_token_cookie_token_expires_time' is used for Expires and Cache-Control HTTP headers.

Is there some parameter to add expires/max-age to the cookie header as above instead of setting it at the Expires header level?

Can anyone help in this plz?

Thanks
Tuco

[erankor]

This feature doesn't exist in the module, but I think you can probably achieve what you want by using the builtin add_header.
Something like -

secure_token_akamai $my_token {
   key 1234;
   ...
}

add_header Set-Cookie '$my_token; max-age=3600';

Expires is more problematic... I'm not sure there's a way to get it into a var unless you use ngx_lua, but maybe max-age is enough.

[RamirezTuco]

Thanks @erankor it works, some observations.

1. two cookies are added in response, one with the module and one without the module. However it works well on the browser.

2. It seems add_header removes all the parent add_headers directives, as specified here and here.It can still be overcome, by externalizing all add_header directives in a file and importing the file in the location block.

Thank you for the help.
Tuco

[erankor]

1. If you get two cookies, it probably means you still have the secure_token directive in your conf, you should remove it if the cookie is added by add_header
2. Each location that uses add_header creates a list of headers, the list of the lowest level takes priority - the lists are not merged. So, for example, if you have some add_headers under server and you use add_header in the location, the add_headers of the server will be ignored.