nginx.git/src/http/modules, branch release-1.29.6 nginx Sticky: fixed expiration of learned sessions after reload. 2026-03-09T17:08:30+00:00 Aleksei Bavshin a.bavshin@nginx.com 2026-02-17T20:02:59+00:00 52cda2849cbc17fe82bc006d1571e657a42dba24 Previously, the expiration timer for learned session was not started until a new session is created. This could lead to the sessions being active past the expiration time. 
Previously, the expiration timer for learned session was not started
until a new session is created.  This could lead to the sessions being
active past the expiration time.
Sticky: samesite=<strict|lax|none> cookie flags. 2026-03-09T17:08:30+00:00 Vladimir Kokshenev v.kokshenev@f5.com 2020-11-01T23:03:08+00:00 0380586e69fc7b0b8aa7cea2329fef54f8ae69cb Adds new options for the "sticky cookie" directive to set samesite=<strict|lax|none> cookie flags. 
Adds new options for the "sticky cookie" directive to set
samesite=<strict|lax|none> cookie flags.
Sticky: added the "header" parameter in the learn mode. 2026-03-09T17:08:30+00:00 Vladimir Homutov vl@nginx.com 2017-06-08T12:39:06+00:00 8021cb02de840d6168a98e4eefb9bdfbe51ba96e With this parameter set, sessions are learned after receiving upstream headers. 
With this parameter set, sessions are learned after receiving upstream headers.
Sticky: added the "max-age" attribute to cookie. 2026-03-09T17:08:30+00:00 Vladimir Homutov vl@nginx.com 2017-04-07T13:28:15+00:00 7acbe17776a4133a08c7b5f502dc4a8fc40b2aef RFC 6265 defines "Max-Age" cookie attribute in section 5.2.2. If the "expires" option is passed to the "sticky" directive, "max-age" attribute will appear in cookies set by the module with corresponding value in seconds. For the special "max" value of the "expires" option, corresponding "max-age" attribute value will be set to 315360000 seconds (10 years, similar to how its done in headers_filter module for the "Cache-Control" header). 
RFC 6265 defines "Max-Age" cookie attribute in section 5.2.2.

If the "expires" option is passed to the "sticky" directive, "max-age"
attribute will appear in cookies set by the module with corresponding
value in seconds.

For the special "max" value of the "expires" option, corresponding "max-age"
attribute value will be set to 315360000 seconds (10 years, similar to
how its done in headers_filter module for the "Cache-Control" header).
Sticky: added variables support to cookie domain. 2026-03-09T17:08:30+00:00 Vladimir Homutov vl@nginx.com 2016-09-28T07:55:58+00:00 c988a6e2c13fc37cfc09d11a492540cd4e44163a 






Sticky: added "httponly" and "secure" attributes.
2026-03-09T17:08:30+00:00

Vladimir Homutov
vl@nginx.com

2015-03-17T15:46:15+00:00

6c13f0468be05a4d9f2f36e1a28ebbe14ac10281

The attributes are described in RFC6265, sections 4.1.2.5 and 4.1.2.6
respectively.





The attributes are described in RFC6265, sections 4.1.2.5 and 4.1.2.6
respectively.







Sticky: added the "learn" mode.
2026-03-09T17:08:30+00:00

Vladimir Homutov
vl@nginx.com

2014-05-05T07:53:10+00:00

af7137c88a87d4592d8d5879adf50b151d61e5b6

In this mode, nginx "learns" which client uses which proxied server by
analyzing headers of client requests and proxied server responses.

For example, a proxied server may start sessions by issuing the "Set-Cookie"
header field to set cookie 'sid' and returning clients will bring the cookie
with the same name.

The following configuration may be used to handle this case:

upstream u1 {
    server 127.0.0.1:8080;
    server 127.0.0.1:8081;

    sticky learn timeout=10m zone=sess:1m
           create=$upstream_cookie_sid
           lookup=$cookie_sid;
}

Co-authored-by: Ruslan Ermilov <ru@nginx.com>
Co-authored-by: Maxim Dounin <mdounin@mdounin.ru>





In this mode, nginx "learns" which client uses which proxied server by
analyzing headers of client requests and proxied server responses.

For example, a proxied server may start sessions by issuing the "Set-Cookie"
header field to set cookie 'sid' and returning clients will bring the cookie
with the same name.

The following configuration may be used to handle this case:

upstream u1 {
    server 127.0.0.1:8080;
    server 127.0.0.1:8081;

    sticky learn timeout=10m zone=sess:1m
           create=$upstream_cookie_sid
           lookup=$cookie_sid;
}

Co-authored-by: Ruslan Ermilov <ru@nginx.com>
Co-authored-by: Maxim Dounin <mdounin@mdounin.ru>







Upstream: added sticky sessions support for upstreams.
2026-03-09T17:08:30+00:00

Vladimir Homutov
vl@nginx.com

2013-04-02T21:44:36+00:00

104734f21888cfec6994e092073f51a0d4b0fb47

Sticky sessions allow to route the same client to the same upstream server.

- upstream structures are extended to keep session-related information

- existing balancing modules are updated to provide an id of the selected
  server (SID) in pc->sid, and to select the server, given it's SID.

- other balancing modules are allowed to set the pc->hint value to choose
  the desired peer.  The sticky module will not change the hint if it's
  already set.

- the feature is enabled by default and can be disabled with the
  "--without-http_upstream_sticky" switch of the configure script.

The following configuration can be used to enable sticky sessions for
supported balancing modules:

    upstream u1 {
        server 127.0.0.1:8080;
        server 127.0.0.1:8081;

        sticky cookie server_id expires=1h domain=.example.com path=/;
    }

Co-authored-by: Ruslan Ermilov <ru@nginx.com>
Co-authored-by: Roman Arutyunyan <arut@nginx.com>
Co-authored-by: Maxim Dounin <mdounin@mdounin.ru>





Sticky sessions allow to route the same client to the same upstream server.

- upstream structures are extended to keep session-related information

- existing balancing modules are updated to provide an id of the selected
  server (SID) in pc->sid, and to select the server, given it's SID.

- other balancing modules are allowed to set the pc->hint value to choose
  the desired peer.  The sticky module will not change the hint if it's
  already set.

- the feature is enabled by default and can be disabled with the
  "--without-http_upstream_sticky" switch of the configure script.

The following configuration can be used to enable sticky sessions for
supported balancing modules:

    upstream u1 {
        server 127.0.0.1:8080;
        server 127.0.0.1:8081;

        sticky cookie server_id expires=1h domain=.example.com path=/;
    }

Co-authored-by: Ruslan Ermilov <ru@nginx.com>
Co-authored-by: Roman Arutyunyan <arut@nginx.com>
Co-authored-by: Maxim Dounin <mdounin@mdounin.ru>







Mp4: validate sync sample values in stss atom.
2026-02-23T10:10:53+00:00

CodeByMoriarty
czyrabriones4@gmail.com

2026-02-23T00:45:47+00:00

bb8ec295ab59451c19c0ae0c66882b4f84ff4ef7

Per ISO 14496-12 Section 8.6.2, sync sample numbers must be 1-based.
A zero-valued stss entry caused ngx_http_mp4_seek_key_frame() to
return a key_prefix exceeding the samples consumed in the forward
stts pass, which led the backward loop in ngx_http_mp4_crop_stts_data()
to walk past the beginning of the stts data buffer.

The fix validates each stss entry in ngx_http_mp4_seek_key_frame()
and returns an error if a zero sync sample is encountered.  The
function signature is changed to return ngx_int_t so it can signal
errors to the caller.





Per ISO 14496-12 Section 8.6.2, sync sample numbers must be 1-based.
A zero-valued stss entry caused ngx_http_mp4_seek_key_frame() to
return a key_prefix exceeding the samples consumed in the forward
stts pass, which led the backward loop in ngx_http_mp4_crop_stts_data()
to walk past the beginning of the stts data buffer.

The fix validates each stss entry in ngx_http_mp4_seek_key_frame()
and returns an error if a zero sync sample is encountered.  The
function signature is changed to return ngx_int_t so it can signal
errors to the caller.







SCGI: fixed passing CONTENT_LENGTH in unbuffered mode.
2026-02-17T13:45:29+00:00

Sergey Kandaurov
pluknet@nginx.com

2026-01-30T13:06:38+00:00

ec714d52bd4914d52a113234c16e1855d9ac7dcf

Passing requests to SCGI uses a recalculated size of a request body
as per changes made in d60b8d10f (1.3.9) to support CONTENT_LENGTH
with chunked body requests.  This, however, is not compatible with
unbuffered mode introduced later in 7ec559df5 (1.7.11), where such
an approach may not always represent complete request body.

The fix is to use r->headers_in.content_length_n representing either
original Content-Length, if any, or a recalculated value from request
body filters, such as chunked body filter.

Reported by Mufeed VH.





Passing requests to SCGI uses a recalculated size of a request body
as per changes made in d60b8d10f (1.3.9) to support CONTENT_LENGTH
with chunked body requests.  This, however, is not compatible with
unbuffered mode introduced later in 7ec559df5 (1.7.11), where such
an approach may not always represent complete request body.

The fix is to use r->headers_in.content_length_n representing either
original Content-Length, if any, or a recalculated value from request
body filters, such as chunked body filter.

Reported by Mufeed VH.