write condition if cookie doesn't exist not working

We've searched around and found solutions but none are working.

Ref: Correct way to block a site if a cookie isn't present apache 2.4

We followed the answer and it didn't work.

We want to redirect to another page when the cookie does NOT exist (or contain the correct information).

We're tried this:

RewriteEngine on RewriteCond %{REMOTE_ADDR} !^123.123.123.123
RewriteRule .* - [R=503,L]

The above works as a negative condition.

We tried these examples (we've had to change the URLs to be able to post the question):

RewriteCond %{HTTP_COOKIE} !abc_f8Dple7LxGXcSUgHjFrx
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !^abc_f8Dple7LxGXcSUgHjFrx=([^;]+)
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !^abc_f8Dple7LxGXcSUgHjFrx
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !abc_f8Dple7LxGXcSUgHjFrx=([^;]+)
RewriteRule .* www.example.co.uk/no-access [R=301,L]

None of these are working. If we remove the ! symbol (making it a positive condition) they work.

Can someone help with this please?

We'd like to get this to work on Apache 2.2 and 2.4 as we can't get it to work on both.
Not sure which topics to post it in so please let us know if we should post it elsewhere.

Thanks.
tchurchAsked:
Who is Participating?
 
gheistCommented:
exclamation mark does not work like that in PCRE
mod_rewrite documentation examples say where to stuff it.
0
 
gr8gonzoConsultantCommented:
Just a quick note - I'd STRONGLY recommend you don't base any security on fixed cookie values. A cookie does not uniquely identify a person or a browser, and anyone can present any cookie that they want at any time. It's extremely easy to do. While mod_rewrite is great for URL manipulation and redirection, it should not be used as a security gateway. The security layer dealing with cookies should really be left up to the application.

It's also worth noting that there's no guaranteed order to the cookie values, nor uniqueness. Some of those examples contain ^ at the beginning, which requires that the cookie value be at the beginning, while others don't have that character. I also see an = sign in some of the cookie values, which usually indicates base64-encoded values (which might be presented differently in the actual cookie value). Whatever the case may be, it could complicate things a bit, so one thing you COULD try is simplify down your example to just "abc" instead of the full "abc_etcetcetc=" token:

RewriteCond %{HTTP_COOKIE} !abc
RewriteRule ...etc...

Now if the simplified example doesn't change anything, then it'll be impossible to really be certain why those above examples aren't working without actually seeing the actual raw requests and responses. I'd suggest you install Fiddler on your test workstation and run that while you're doing the test so you can ensure that the proper cookie values are going over. You can also turn up the logging for mod_rewrite (just while debugging). The syntax is different between Apache 2.2 and 2.4 but the Apache documentation for mod_rewrite will cover exactly what you need to add to your configuration to enable/increase the logging.
0
 
gheistCommented:
RTFM sometimes is an answer, sorry
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.