[GH-ISSUE #4423] "Cache Assets" option caches responses with cookies #2832

New issue

Open

opened 2026-02-26 07:36:55 +03:00 by kerem · 10 comments

kerem commented 2026-02-26 07:36:55 +03:00

Owner

Copy link

Originally created by @ssddanbrown on GitHub (Mar 8, 2025).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4423

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug

Hello,
I believe that the "Cache Assets" is currently caching responses which contain cookies, which isn't something I'd expect by default (at least without warning).
This can lead to responses with session cookies being cached and provided back to other users.
This is something I discovered when supporting a user of my software, who was using nginx-proxy-manager with this option enabled, who found that their login accounts would change somewhat randomly.

I believe this is down to the following proxy_ignore_headers line:

github.com/NginxProxyManager/nginx-proxy-manager@79d28f03d0/docker/rootfs/etc/nginx/conf.d/include/assets.conf (L9)

When reading initially, I thought that this line was specifically preventing responses with Set-Cookie headers from being cached, but this is not the case.
From what I understand, by default nginx won't cache proxy responses with the Set-Cookie field following the guidance here:

If the header includes the “Set-Cookie” field, such a response will not be cached.

The proxy_ignore_headers option then tells nginx to ignore certain headers for its own internal processing. It does not ignore responses that have these headers as I initially assumed when reading.
In this case, since Set-Cookie is used with this option, it's essentially telling nginx to ignore its default behaviour and allow Set-Cookie responses to be cached.

Testing/Replication

I tested this via a simple PHP script to set a cookie:

Script

<?php

$expires = time()+60*60*24*30;
$dateTime = str_replace(':', '-', date(DATE_ATOM));
$requestPath = $_SERVER["REQUEST_URI"];

setcookie("beans", $dateTime, $expires);

echo ("hello from {$requestPath}; Cookie value: {$dateTime}; Expires: " . $expires);

Then I ran that script with php -S 0.0.0.0:8000 server.php, then created a proxy server to that host, with the "Cache Assets" option enabled. A request to /cat.png would then become cached.

Then I removed Set-Cookie from line 9 of the /etc/nginx/conf.d/include/assets.conf, restarted the container, then tested again via a different endpoint (/dog.png) and observed that the response was no longer cached.

Nginx Proxy Manager Version
v2.12.3

Expected behavior

Responses with cookies applied should not be cached (by default).

Operating System
Fedora 41

---

Note: I did think about reporting this as a security issue, since it can interplay with user sessions via cookies, but I couldn't find any security reporting details or contact details, but instead found past similar requests for security contact details go unanswered. Should be a niche scenario anyway (instances with cache option active, where assets could be served with relevant cookies).

Originally created by @ssddanbrown on GitHub (Mar 8, 2025). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4423 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** Hello, I believe that the "Cache Assets" is currently caching responses which contain cookies, which isn't something I'd expect by default (at least without warning). This can lead to responses with session cookies being cached and provided back to other users. This is something I discovered when supporting a user of my software, who was using nginx-proxy-manager with this option enabled, who found that their login accounts would change somewhat randomly. I believe this is down to the following `proxy_ignore_headers` line: https://github.com/NginxProxyManager/nginx-proxy-manager/blob/79d28f03d035114b80dcd04845306ecb98175074/docker/rootfs/etc/nginx/conf.d/include/assets.conf#L9 When reading initially, I thought that this line was specifically preventing responses with `Set-Cookie` headers from being cached, but this is not the case. From what I understand, by default nginx won't cache proxy responses with the `Set-Cookie` field following [the guidance here](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_valid): > If the header includes the “Set-Cookie” field, such a response will not be cached. The [`proxy_ignore_headers` option](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ignore_headers) then tells nginx to ignore certain headers for its own internal processing. It does not ignore responses that have these headers as I initially assumed when reading. In this case, since `Set-Cookie` is used with this option, it's essentially telling nginx to ignore its default behaviour and allow `Set-Cookie` responses to be cached. ### Testing/Replication I tested this via a simple PHP script to set a cookie: <details> <summary>Script</summary> ```php <?php $expires = time()+60*60*24*30; $dateTime = str_replace(':', '-', date(DATE_ATOM)); $requestPath = $_SERVER["REQUEST_URI"]; setcookie("beans", $dateTime, $expires); echo ("hello from {$requestPath}; Cookie value: {$dateTime}; Expires: " . $expires); ``` </details> Then I ran that script with `php -S 0.0.0.0:8000 server.php`, then created a proxy server to that host, with the "Cache Assets" option enabled. A request to `/cat.png` would then become cached. Then I removed `Set-Cookie` from line 9 of the `/etc/nginx/conf.d/include/assets.conf`, restarted the container, then tested again via a different endpoint (`/dog.png`) and observed that the response was no longer cached. **Nginx Proxy Manager Version** v2.12.3 **Expected behavior** Responses with cookies applied should not be cached (by default). **Operating System** Fedora 41 --- Note: I did think about reporting this as a security issue, since it can interplay with user sessions via cookies, but I couldn't find any security reporting details or contact details, but instead found past similar requests for security contact details go unanswered. Should be a niche scenario anyway (instances with cache option active, where assets could be served with relevant cookies).

kerem added the

bug

label 2026-02-26 07:36:55 +03:00

kerem commented 2026-02-26 07:36:56 +03:00

Author

Owner

Copy link

@Adiack06 commented on GitHub (Mar 21, 2025):

I have had the same issue while using book-stack (the software @ssddanbrown makes) with this nginx proxy setting enabled

<!-- gh-comment-id:2743715516 --> @Adiack06 commented on GitHub (Mar 21, 2025): I have had the same issue while using book-stack (the software @ssddanbrown makes) with this nginx proxy setting enabled

kerem commented 2026-02-26 07:36:56 +03:00

Author

Owner

Copy link

@faulpeltz commented on GitHub (Apr 3, 2025):

@ssddanbrown This causes problems with self-hosted GitLab instances as well, because some assets like user-profile images contain a cookie header (which they probably shouldn't), causing intermittent session takeover across accounts

I think NPM should, in a standard setting, never cache Set-Cookie headers or aggressively override caching based on file extension alone, instead I suggest maybe have a "standard" "force/aggressive" cache mode if you really need it?

<!-- gh-comment-id:2774935169 --> @faulpeltz commented on GitHub (Apr 3, 2025): @ssddanbrown This causes problems with self-hosted GitLab instances as well, because some assets like user-profile images contain a cookie header (which they probably shouldn't), causing intermittent session takeover across accounts I think NPM should, in a standard setting, never cache Set-Cookie headers or aggressively override caching based on file extension alone, instead I suggest maybe have a "standard" "force/aggressive" cache mode if you really need it?

kerem commented 2026-02-26 07:36:56 +03:00

Author

Owner

Copy link

@francescocaponio commented on GitHub (Apr 16, 2025):

As a reference, I'm attaching the link to gitlab's issue.

Please note that the issue happens even if the Cache Assets option is disabled from the UI.

<!-- gh-comment-id:2809683619 --> @francescocaponio commented on GitHub (Apr 16, 2025): As a reference, I'm attaching the link to [gitlab's issue](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/34676). Please note that **the issue happens** even if the Cache Assets option is disabled from the UI.

kerem commented 2026-02-26 07:36:56 +03:00

Author

Owner

Copy link

@ssddanbrown commented on GitHub (Apr 16, 2025):

Please note that the issue happens even if the Cache Assets option is disabled from the UI.

@francescocaponio Have you verified that from a (relatively) clean state? From when I opened this, it looks like the relevant nginx config was only at play with the setting enabled, so would be surprised unless there's some other level of caching config, or caching layer in play, or retained session after toggling the caching option.

<!-- gh-comment-id:2809773190 --> @ssddanbrown commented on GitHub (Apr 16, 2025): > Please note that the issue happens even if the Cache Assets option is disabled from the UI. @francescocaponio Have you verified that from a (relatively) clean state? From when I opened this, it looks like the relevant nginx config was only at play with the setting enabled, so would be surprised unless there's some other level of caching config, or caching layer in play, or retained session after toggling the caching option.

kerem commented 2026-02-26 07:36:56 +03:00

Author

Owner

Copy link

@francescocaponio commented on GitHub (Apr 16, 2025):

We noticed it on our instance, but also user alexhoisl on the gitlab issue tracker is experiencing the same problem with cache disabled.

<!-- gh-comment-id:2809813564 --> @francescocaponio commented on GitHub (Apr 16, 2025): We noticed it on our instance, but also user [alexhoisl](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/34676#note_2431573233) on the gitlab issue tracker is experiencing the same problem with cache disabled.

kerem commented 2026-02-26 07:36:56 +03:00

Author

Owner

Copy link

@ssddanbrown commented on GitHub (Apr 16, 2025):

@francescocaponio They confirm, in their next comment, that information was wrong and later confirm that they no longer have the issue with caching disabled. Since this applies to cookies those wrong cookies will remain in browsers for a while, so even after changing the setting existing sessions/cookies could need to expire or be deleted/invalidated otherwise wrong logins (or other problems caused by mixed cookies) may persist.

<!-- gh-comment-id:2809827575 --> @ssddanbrown commented on GitHub (Apr 16, 2025): @francescocaponio They confirm, in their next comment, that information was wrong and later confirm that they no longer have the issue with caching disabled. Since this applies to cookies those wrong cookies will remain in browsers for a while, so even after changing the setting existing sessions/cookies could need to expire or be deleted/invalidated otherwise wrong logins (or other problems caused by mixed cookies) may persist.

kerem commented 2026-02-26 07:36:56 +03:00

Author

Owner

Copy link

@francescocaponio commented on GitHub (Apr 16, 2025):

Now I see it, sorry, but I read it fast.

We should do a more consistent test here too. In our environment we have two instances of npm, one from external ips and one from internal ones. They were configured differently for the caching option. Let me check it better, but it's quite difficult to make it happen in a reliable way.

<!-- gh-comment-id:2809849102 --> @francescocaponio commented on GitHub (Apr 16, 2025): Now I see it, sorry, but I read it fast. We should do a more consistent test here too. In our environment we have two instances of npm, one from external ips and one from internal ones. They were configured differently for the caching option. Let me check it better, but it's quite difficult to make it happen in a reliable way.

kerem commented 2026-02-26 07:36:56 +03:00

Author

Owner

Copy link

@ahoisl commented on GitHub (Apr 16, 2025):

Sorry for the confusion!
Yes, after disabling "Cache Assets" the GitLab authentication problem was fixed.

<!-- gh-comment-id:2810573717 --> @ahoisl commented on GitHub (Apr 16, 2025): Sorry for the confusion! Yes, after disabling "Cache Assets" the GitLab authentication problem was fixed.

kerem commented 2026-02-26 07:36:56 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Oct 19, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3419146494 --> @github-actions[bot] commented on GitHub (Oct 19, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 07:36:56 +03:00

Author

Owner

Copy link

@ssddanbrown commented on GitHub (Oct 19, 2025):

👍 I think it's worth keeping open @github-actions bot!

<!-- gh-comment-id:3419513796 --> @ssddanbrown commented on GitHub (Oct 19, 2025): 👍 I think it's worth keeping open @github-actions bot!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#2832

No description provided.