Hello,
I'm struggling to create a unique token/id in the main request and have it accessible in all the sub requests including SSI.
The actual feature is to generate a CSRF token and insert it via
SSI echo (most probably) into pages that might be generated via backend or served from cache via
ngx_srcache.
Here is a stripped down version, tried to use the existing
userid module, but
uid_set and
uid_got are different between subrequests. Only if I refresh the main page again, I get the constant value. A second approach is to generate a unique token via Lua, but it's the same problem.
I'm getting something like:
uid=6538A8C0D20BD0574740B48A02030303 for the first request
uid=6538A8C0D20BD0574740B48A02040303 for the rest
https://gist.github.com/frozenminds/cdc87c5b1e3f3d46ae2b72a5678498e7
server {
listen 80;
server_name test.dev;
root /var/www/html;
userid on;
default_type text/html;
index index.html;
charset utf-8;
set $unique $uid_got$uid_set;
location / {
ssi on;
access_by_lua_block {
ngx.log(ngx.ERR, "[ROUTE /] UNIQUE: " .. (ngx.var.unique or "unavailable"))
ngx.log(ngx.ERR, "[ROUTE /] UID_GOT: " .. (ngx.var.uid_got or "unavailable"))
ngx.log(ngx.ERR, "[ROUTE /] UID_SET: " .. (ngx.var.uid_set or "unavailable"))
}
try_files $uri $uri/ @handler;
}
location @handler {
ssi on;
access_by_lua_block {
ngx.log(ngx.ERR, "[ROUTE @handler] UNIQUE: " .. (ngx.var.unique or "unavailable"))
ngx.log(ngx.ERR, "[ROUTE @handler] UID_GOT: " .. (ngx.var.uid_got or "unavailable"))
ngx.log(ngx.ERR, "[ROUTE @handler] UID_SET: " .. (ngx.var.uid_set or "unavailable"))
}
# might be srcache_fetch/fastcgi_pass/etc.
content_by_lua_block {
local html = [[
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Main Request</title>
</head>
<body>
<h1>Main Request</h1>
<p>UID_GOT: <!--#echo var="uid_got" default="ssi uid_got unavailable" --></p>
<p>UID_SET: <!--#echo var="uid_set" default="ssi uid_set unavailable" --></p>
<p>UNIQUE: <!--#echo var="unique" default="ssi unique unavailable" --></p>
</body>
</html>
]]
ngx.print(html)
}
}
}
This happens only to the first request, when the user has no cookie.
Thank you in advance!