?
Solved

write condition if cookie doesn't exist not working

Posted on 2016-09-20
3
Medium Priority
?
46 Views
Last Modified: 2016-10-10
We've searched around and found solutions but none are working.

Ref: Correct way to block a site if a cookie isn't present apache 2.4

We followed the answer and it didn't work.

We want to redirect to another page when the cookie does NOT exist (or contain the correct information).

We're tried this:

RewriteEngine on RewriteCond %{REMOTE_ADDR} !^123.123.123.123
RewriteRule .* - [R=503,L]

The above works as a negative condition.

We tried these examples (we've had to change the URLs to be able to post the question):

RewriteCond %{HTTP_COOKIE} !abc_f8Dple7LxGXcSUgHjFrx
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !^abc_f8Dple7LxGXcSUgHjFrx=([^;]+)
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !^abc_f8Dple7LxGXcSUgHjFrx
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !abc_f8Dple7LxGXcSUgHjFrx=([^;]+)
RewriteRule .* www.example.co.uk/no-access [R=301,L]

None of these are working. If we remove the ! symbol (making it a positive condition) they work.

Can someone help with this please?

We'd like to get this to work on Apache 2.2 and 2.4 as we can't get it to work on both.
Not sure which topics to post it in so please let us know if we should post it elsewhere.

Thanks.
0
Comment
Question by:tchurch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 35

Assisted Solution

by:gr8gonzo
gr8gonzo earned 1000 total points (awarded by participants)
ID: 41808003
Just a quick note - I'd STRONGLY recommend you don't base any security on fixed cookie values. A cookie does not uniquely identify a person or a browser, and anyone can present any cookie that they want at any time. It's extremely easy to do. While mod_rewrite is great for URL manipulation and redirection, it should not be used as a security gateway. The security layer dealing with cookies should really be left up to the application.

It's also worth noting that there's no guaranteed order to the cookie values, nor uniqueness. Some of those examples contain ^ at the beginning, which requires that the cookie value be at the beginning, while others don't have that character. I also see an = sign in some of the cookie values, which usually indicates base64-encoded values (which might be presented differently in the actual cookie value). Whatever the case may be, it could complicate things a bit, so one thing you COULD try is simplify down your example to just "abc" instead of the full "abc_etcetcetc=" token:

RewriteCond %{HTTP_COOKIE} !abc
RewriteRule ...etc...

Now if the simplified example doesn't change anything, then it'll be impossible to really be certain why those above examples aren't working without actually seeing the actual raw requests and responses. I'd suggest you install Fiddler on your test workstation and run that while you're doing the test so you can ensure that the proper cookie values are going over. You can also turn up the logging for mod_rewrite (just while debugging). The syntax is different between Apache 2.2 and 2.4 but the Apache documentation for mod_rewrite will cover exactly what you need to add to your configuration to enable/increase the logging.
0
 
LVL 62

Accepted Solution

by:
gheist earned 1000 total points (awarded by participants)
ID: 41808065
exclamation mark does not work like that in PCRE
mod_rewrite documentation examples say where to stuff it.
0
 
LVL 62

Expert Comment

by:gheist
ID: 41836571
RTFM sometimes is an answer, sorry
0

Featured Post

Quiz: What Do These Organizations Have In Common?

Hint: Their teams ended up taking quizzes, too.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
What You Need to Know when Searching for a Webhost Provider
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question