nginxwebservercookieless

Is it possible to set up nginx without cookies?


I see, especially here in Germany, more and mor web sites, asking for permission to set cookies. My current project doesn't require cookies on the application level. So I am wondering if i shouldn't drop cookies entirely.

My questions:

Is it possible to set up static web site with nginx entirely without the use of cookies?

And if so, is there a downside to cookieless sites?


Solution

  • Yes, it is certainly possible.

    There are absolutely no downsides° (°unless you care for tracking, user-login, or having any sort of preferences, although alternatives exist as well).

    On the other hand, there are plenty of upsides — you ensure that if one user shared the URL with another one, that the URL will work as expected, as it doesn't depend on any cookies.

    Note that with the help of nginx you can actually remove cookies even from backend applications that strictly do require the cookies. E.g., I did it for my OpenGrok installation at http://BXR.SU/, where I use nginx to strip the cookies, both ways, and effectively use the URL path on the client-facing side as the preference identifier in place of saving such information in the cookies, and subsequently converting such $uri into $args (in place of cookies) when passing the requests back to OpenGrok (if OpenGrok would not have supported $args as a fallback, it'd also be possible to still use cookies within the backend, but still clear them up before serving the content back to the client).

    See http://serverfault.com/questions/462799/leverage-proxy-caching-with-nginx-by-removing-set-cookie-header/467774#467774 for some more discussion of my implementation. For example, the following may be used to ensure your backend can neither set nor get any cookies:

        proxy_hide_header       Set-Cookie;
        proxy_ignore_headers    Set-Cookie;
        # important! Remember the special inheritance rules for proxy_set_header:
        # http://nginx.org/ru/docs/http/ngx_http_proxy_module.html#proxy_set_header
        proxy_set_header        Cookie "";
    

    Note that even with the above code, cookies could still be set and read by the front-end with the help of JavaScript.