Diagnosing cookie issues with nginx

[AlanIWBFT]

So, there are a few caveats with auth_request. webauthn_proxy wants to manipulate cookies (mainly expiration) in HandleAuth, which isn't going to be respected until you add the following to your location:

auth_request_set $new_cookie $sent_http_set_cookie;
add_header Set-Cookie $new_cookie;

Then, the next issue is error_page 401 = /webauthn/login?redirect_url=$uri;. This form causes nginx to do an internal redirect, i.e. replacing the content at $uri with the login page, overriding the headers including cookies HandleAuth wants to clear and results in redirect indefinitely. Further, if there is any space in $uri, it causes the Go http server (not nginx) to throw a 400 bad request response. These can be fixed by:

error_page 401 = $scheme://$http_host/webauthn/login?redirect_url=$uri;

which forces nginx to do an external redirect and HandleLogin will actually see redirect_url (yes, it was not doing anything) I caught these issues by setting hardTimeout < softTimeout. Yes, I know it is an invalid case, yet I believe making ExpireWebauthnSession work in HandleAuth does have some value.

[MartinVincent]

Your fix for the 401 issue worked fot me, thank you @AlanIWBFT !

nginx version: nginx/1.24.0 (Ubuntu) using docker version with latest image quiq/webauthn_proxy:latest created 2025-06-11 13:46:09