Solved

write condition if cookie doesn't exist not working

Posted on 2016-09-20
3
32 Views
Last Modified: 2016-10-10
We've searched around and found solutions but none are working.

Ref: Correct way to block a site if a cookie isn't present apache 2.4

We followed the answer and it didn't work.

We want to redirect to another page when the cookie does NOT exist (or contain the correct information).

We're tried this:

RewriteEngine on RewriteCond %{REMOTE_ADDR} !^123.123.123.123
RewriteRule .* - [R=503,L]

The above works as a negative condition.

We tried these examples (we've had to change the URLs to be able to post the question):

RewriteCond %{HTTP_COOKIE} !abc_f8Dple7LxGXcSUgHjFrx
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !^abc_f8Dple7LxGXcSUgHjFrx=([^;]+)
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !^abc_f8Dple7LxGXcSUgHjFrx
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !abc_f8Dple7LxGXcSUgHjFrx=([^;]+)
RewriteRule .* www.example.co.uk/no-access [R=301,L]

None of these are working. If we remove the ! symbol (making it a positive condition) they work.

Can someone help with this please?

We'd like to get this to work on Apache 2.2 and 2.4 as we can't get it to work on both.
Not sure which topics to post it in so please let us know if we should post it elsewhere.

Thanks.
0
Comment
Question by:tchurch
  • 2
3 Comments
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 250 total points (awarded by participants)
Comment Utility
Just a quick note - I'd STRONGLY recommend you don't base any security on fixed cookie values. A cookie does not uniquely identify a person or a browser, and anyone can present any cookie that they want at any time. It's extremely easy to do. While mod_rewrite is great for URL manipulation and redirection, it should not be used as a security gateway. The security layer dealing with cookies should really be left up to the application.

It's also worth noting that there's no guaranteed order to the cookie values, nor uniqueness. Some of those examples contain ^ at the beginning, which requires that the cookie value be at the beginning, while others don't have that character. I also see an = sign in some of the cookie values, which usually indicates base64-encoded values (which might be presented differently in the actual cookie value). Whatever the case may be, it could complicate things a bit, so one thing you COULD try is simplify down your example to just "abc" instead of the full "abc_etcetcetc=" token:

RewriteCond %{HTTP_COOKIE} !abc
RewriteRule ...etc...

Now if the simplified example doesn't change anything, then it'll be impossible to really be certain why those above examples aren't working without actually seeing the actual raw requests and responses. I'd suggest you install Fiddler on your test workstation and run that while you're doing the test so you can ensure that the proper cookie values are going over. You can also turn up the logging for mod_rewrite (just while debugging). The syntax is different between Apache 2.2 and 2.4 but the Apache documentation for mod_rewrite will cover exactly what you need to add to your configuration to enable/increase the logging.
0
 
LVL 61

Accepted Solution

by:
gheist earned 250 total points (awarded by participants)
Comment Utility
exclamation mark does not work like that in PCRE
mod_rewrite documentation examples say where to stuff it.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
RTFM sometimes is an answer, sorry
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now