Solved

write condition if cookie doesn't exist not working

Posted on 2016-09-20
3
36 Views
Last Modified: 2016-10-10
We've searched around and found solutions but none are working.

Ref: Correct way to block a site if a cookie isn't present apache 2.4

We followed the answer and it didn't work.

We want to redirect to another page when the cookie does NOT exist (or contain the correct information).

We're tried this:

RewriteEngine on RewriteCond %{REMOTE_ADDR} !^123.123.123.123
RewriteRule .* - [R=503,L]

The above works as a negative condition.

We tried these examples (we've had to change the URLs to be able to post the question):

RewriteCond %{HTTP_COOKIE} !abc_f8Dple7LxGXcSUgHjFrx
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !^abc_f8Dple7LxGXcSUgHjFrx=([^;]+)
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !^abc_f8Dple7LxGXcSUgHjFrx
RewriteRule .* www.example.co.uk/no-access [R=301,L]

RewriteCond %{HTTP_COOKIE} !abc_f8Dple7LxGXcSUgHjFrx=([^;]+)
RewriteRule .* www.example.co.uk/no-access [R=301,L]

None of these are working. If we remove the ! symbol (making it a positive condition) they work.

Can someone help with this please?

We'd like to get this to work on Apache 2.2 and 2.4 as we can't get it to work on both.
Not sure which topics to post it in so please let us know if we should post it elsewhere.

Thanks.
0
Comment
Question by:tchurch
  • 2
3 Comments
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 250 total points (awarded by participants)
ID: 41808003
Just a quick note - I'd STRONGLY recommend you don't base any security on fixed cookie values. A cookie does not uniquely identify a person or a browser, and anyone can present any cookie that they want at any time. It's extremely easy to do. While mod_rewrite is great for URL manipulation and redirection, it should not be used as a security gateway. The security layer dealing with cookies should really be left up to the application.

It's also worth noting that there's no guaranteed order to the cookie values, nor uniqueness. Some of those examples contain ^ at the beginning, which requires that the cookie value be at the beginning, while others don't have that character. I also see an = sign in some of the cookie values, which usually indicates base64-encoded values (which might be presented differently in the actual cookie value). Whatever the case may be, it could complicate things a bit, so one thing you COULD try is simplify down your example to just "abc" instead of the full "abc_etcetcetc=" token:

RewriteCond %{HTTP_COOKIE} !abc
RewriteRule ...etc...

Now if the simplified example doesn't change anything, then it'll be impossible to really be certain why those above examples aren't working without actually seeing the actual raw requests and responses. I'd suggest you install Fiddler on your test workstation and run that while you're doing the test so you can ensure that the proper cookie values are going over. You can also turn up the logging for mod_rewrite (just while debugging). The syntax is different between Apache 2.2 and 2.4 but the Apache documentation for mod_rewrite will cover exactly what you need to add to your configuration to enable/increase the logging.
0
 
LVL 62

Accepted Solution

by:
gheist earned 250 total points (awarded by participants)
ID: 41808065
exclamation mark does not work like that in PCRE
mod_rewrite documentation examples say where to stuff it.
0
 
LVL 62

Expert Comment

by:gheist
ID: 41836571
RTFM sometimes is an answer, sorry
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about why website design really matters in today's demanding market.
FAQ pages provide a simple way for you to supply and for customers to find answers to the most common questions about your company. Here are six reasons why your company website should have a FAQ page
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
The viewer will learn how to count occurrences of each item in an array.

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now