All geek questions in one place

Logout does not work, caching on nginx, how to allow logout?

I have everything cached, if I log in to my account, you can no longer log out), how do you log out when you leave? I need to know how to delete cookies and session! when i log out!

PS if I disable caching at the nginx level, everything will be fine, the problem is in nginx

nginx conf

    gzip on;
    gzip_disable "msie6";

    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    proxy_connect_timeout 5;
    proxy_send_timeout 10;
    proxy_read_timeout 10;
    proxy_buffering on;
    proxy_buffer_size 16k;
    proxy_buffers 24 16k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;

    proxy_temp_path /tmp/nginx/proxy_temp;
    add_header X-Cache-Status $upstream_cache_status;
    proxy_cache_path /tmp/nginx/cache levels=1:2 keys_zone=first_zone:100m;
    proxy_cache one;
    proxy_cache_valid any 30d;
    proxy_cache_key $scheme$proxy_host$request_uri$cookie_US;

conf server

upstream some site {
  server unix:/webapps/some/run/gunicorn.sock fail_timeout=0;
}

server {
    listen   80;
    server_name server name;
    expires 7d;
    client_max_body_size 4G;

    access_log /webapps/some/logs/nginx-access.log;
    error_log /webapps/some/logs/nginx-error.log;
    error_log /webapps/some/logs/nginx-crit-error.log crit;
    error_log /webapps/some/logs/nginx-debug.log debug; 
    location /static/ {
        alias   /webapps/some/static/;
    }

    location /media/ {
        alias   /webapps/some/media/;
    }
    location ~* ^(?!/media).*.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
        root root_path;
        expires 7d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        access_log off;
    }    
    location ~* ^(?!/static).*.(?:css|js|html)$ {
        root root_path;
        expires 7d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        access_log off;
    }     

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_cache one;
        proxy_cache_min_uses 1;
        proxy_cache_use_stale error timeout;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        if (!-f $request_filename) {
            proxy_pass http://some;
            break;
        }
    }
    error_page 404 /404.html;
    location = /error_404.html {
        root /webapps/some/src/templates;
    }

    error_page  500 502 503 504 /500.html;
    location = /error_500.html {
        root /webapps/some/src/templates;
    }
}
+4
source share
2 answers

Instead of quitting the query with the query GET, change the login view to take the form POST.

POST Requests should not be cached.

, iframe (: https://example.com/logout/, CSRF django).

: django- , .

+4

:

, cookie ! !

:

proxy_cache_key $scheme$proxy_host$request_uri$cookie_US;

, $cookie_US?

  • , , , cookie , URL- , ( ) ( , ), " , , , - .

, , , , http://nginx.org/r/proxy_cache_key - , . , , - , - - , , .

, , , , nginx:

proxy_cache_key $scheme$proxy_host$request_uri$cookie_US;
location /logout {
    add_header Set-Cookie "US=empty; Expires=Tue, 19-Jan-2038 03:14:07 GMT; Path=/";
    return 200 "You've been logged out!";
}

P.S. , XSS - iframe /logout , . $http_referer, , .

+2

Source: https://habr.com/ru/post/1691405/

More articles:


All Articles