Solved

write condition if cookie doesn't exist not working

Posted on 2016-09-20
3
33 Views
Last Modified: 2016-10-10
We've searched around and found solutions but none are working.

Ref: Correct way to block a site if a cookie isn't present apache 2.4

We followed the answer and it didn't work.

We want to redirect to another page when the cookie does NOT exist (or contain the correct information).

We're tried this:

RewriteEngine on RewriteCond %{REMOTE_ADDR} !^123.123.123.123
RewriteRule .* - [R=503,L]

The above works as a negative condition.

We tried these examples (we've had to change the URLs to be able to post the question):

RewriteCond %{HTTP_COOKIE} !abc_f8Dple7LxGXcSUgHjFrx
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !^abc_f8Dple7LxGXcSUgHjFrx=([^;]+)
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !^abc_f8Dple7LxGXcSUgHjFrx
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !abc_f8Dple7LxGXcSUgHjFrx=([^;]+)
RewriteRule .* www.example.co.uk/no-access [R=301,L]

None of these are working. If we remove the ! symbol (making it a positive condition) they work.

Can someone help with this please?

We'd like to get this to work on Apache 2.2 and 2.4 as we can't get it to work on both.
Not sure which topics to post it in so please let us know if we should post it elsewhere.

Thanks.
0
Comment
Question by:tchurch
  • 2
3 Comments
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 250 total points (awarded by participants)
ID: 41808003
Just a quick note - I'd STRONGLY recommend you don't base any security on fixed cookie values. A cookie does not uniquely identify a person or a browser, and anyone can present any cookie that they want at any time. It's extremely easy to do. While mod_rewrite is great for URL manipulation and redirection, it should not be used as a security gateway. The security layer dealing with cookies should really be left up to the application.

It's also worth noting that there's no guaranteed order to the cookie values, nor uniqueness. Some of those examples contain ^ at the beginning, which requires that the cookie value be at the beginning, while others don't have that character. I also see an = sign in some of the cookie values, which usually indicates base64-encoded values (which might be presented differently in the actual cookie value). Whatever the case may be, it could complicate things a bit, so one thing you COULD try is simplify down your example to just "abc" instead of the full "abc_etcetcetc=" token:

RewriteCond %{HTTP_COOKIE} !abc
RewriteRule ...etc...

Now if the simplified example doesn't change anything, then it'll be impossible to really be certain why those above examples aren't working without actually seeing the actual raw requests and responses. I'd suggest you install Fiddler on your test workstation and run that while you're doing the test so you can ensure that the proper cookie values are going over. You can also turn up the logging for mod_rewrite (just while debugging). The syntax is different between Apache 2.2 and 2.4 but the Apache documentation for mod_rewrite will cover exactly what you need to add to your configuration to enable/increase the logging.
0
 
LVL 61

Accepted Solution

by:
gheist earned 250 total points (awarded by participants)
ID: 41808065
exclamation mark does not work like that in PCRE
mod_rewrite documentation examples say where to stuff it.
0
 
LVL 61

Expert Comment

by:gheist
ID: 41836571
RTFM sometimes is an answer, sorry
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why do we like using grid based layouts in website design? Let's look at the live examples of websites and compare them to grid based WordPress themes.
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now