Solution to the problem of session failure caused by nginx reverse proxy

A colleague asked for help: the login to the backend system was successful, but the system could not be logged in successfully, and it still jumped to the login page, but there was no problem with the same set of code in another environment.

background

It was learned that he used Tomcat to deploy two environments for the same project, one on the development server and one on his local computer, and the code configurations of the two environments were exactly the same. Both sides use the same nginx for reverse proxy. The nginx configuration is as follows:

location /health/ {
  proxy_pass http://192.168.40.159:8081/health/; #No problem with the configuration}

location /health-dev/ {
  proxy_pass http://192.168.40.202:8080/health/; #Problematic configuration}

One reverse proxy to the development environment, and one reverse proxy to the local service.

position

Since the code configuration is exactly the same, the problem is most likely in the nginx reverse proxy.

Because the location paths on both sides are different (that is, the browser paths are different), but the server paths of the reverse proxy are the same, combined with the basic principles of session, as shown in the following figure,

1. When the browser opens the page for the first time, the server will create a session for this session and pass the session id to the browser through the response header. The header is usually Set-Cookie: JSESSIONID=xxxxx; Path=xxxx
2. After the browser receives the response, if the value of the path in the header Set-Cookie matches the browser address path, the header value is stored in the browser's cookie.
3. The next time the browser requests the server, it reports the JSESSIONID value in the Cookie to the server through the request header. The header is usually Cookie: JSESSIONID=xxxx;
4. The server can use the JSESSIONID to locate the corresponding session
   

When nginx reverse proxy is configured in this way

location /health-dev/ {
  proxy_pass http://192.168.40.202:8080/health/;
}

When the browser accesses http://www.domian.com/health-dev , the path value of Set-Cookie returned by the server is /health (because there is a reverse proxy in the middle, the server does not know what the path before the proxy is, and it is set according to the path of the final request to the server), as shown in the figure

Because the path /health-dev of the browser access address does not match the Path /health of Set-Cookie , the browser does not store its value in the cookie, as shown in the figure

Therefore, the next time you request the server, the browser cannot set JSESSIONID value of the request Cookie header, and the server cannot locate the corresponding session, so it will treat it as the first request and create a new session, and so on. Therefore, even if your login authentication is passed, the browser will not save the login credentials (JSESSIONID) returned by the server, and carry it with the next request, causing the server to think that you are a new request, and of course it will jump to the login page again.

solve

nginx has a command proxy_cookie_path (reference: proxy_cookie_path) that can modify the path in Set-Cookie returned by the server. The format is proxy_cookie_path 原路徑目標路徑. We add proxy_cookie_path to the configuration as follows.

location /health-dev/ {
  proxy_pass http://192.168.40.202:8080/health/;
  proxy_cookie_path /health /health-dev;
}

Restart nginx and the problem is solved.

This is the end of this article about how to solve the problem of session invalidation caused by nginx reverse proxy. For more information about session invalidation caused by nginx reverse proxy, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!