9 May 18:59
Re: Forcing clients to enable cookies?
From: Brian Rectanus <Brian.Rectanus <at> breach.com>
Subject: Re: Forcing clients to enable cookies?
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-09 16:59:43 GMT
Subject: Re: Forcing clients to enable cookies?
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-09 16:59:43 GMT
Stefan Müller-Wilken wrote:
> Dear all,
>
> one of my customers has introduced a security policy by which all web
> applications have to do their session handling via cookies. Rather than
> doing the boilerplate code in all web apps I'd like to check in only one
> place if client browsers allow cookies and send them to an error page if
> not.
>
> Is there a way to use mod_security to do the trick? Or would I be better
> off using mod_rewrite instead? Conceptionally I would have set a cookie,
> force a reload, and on the next access, see if the cookie is still
> there, right? But how can I do that? Would be great if someone could
> give me an idea!
ModSecurity cannot add cookies, so you would have to use mod_rewrite.
Conceptually you are correct, but it is not quite that easy because you
need to avoid a potential infinite loop of redirects if the browser does
not support cookies (ie you set a cookie and redirect, then there is no
cookie, so you repeat). You have to redirect to a cookie test URI, then
if it is the cookie test URI, check for a cookie and then redirect back
to the correct URI.
Something like this (untested, but should give you some ideas):
### Check for a cookie + cookie test URI
RewriteCond %{HTTP_COOKIE} "!^$"
# Redirect back to the original page
RewriteRule ^/your/cookie/test/uri/(.*) $1 [R,L]
### Check for no cookie + cookie test URI
RewriteCond %{HTTP_COOKIE} "^$"
# Change the URI (internal redirect) to the error page
RewriteRule ^/your/cookie/test/uri/.* /no/cookie/error/page [L]
### No cookie on the entry page
RewriteCond %{HTTP_COOKIE} "^$"
# Set a flag stating no cookie
RewriteRule ^/your/entry/page - [E=checkcookie:1]
### Check for checkcookie flag
RewriteCond %{ENV:checkcookie} "=1"
# Redirect to the cookie test page, appending the original uri
RewriteRule ^/(.*) /your/cookie/test/uri/$1 [R,L]
# At this point the client should make another request and
# go back through the above on the cookie test uri with
# or without a cookie.
Hope that helps and just did not confuse you ;)
-B
>
> Cheers
> Stefan.
>
>
> Resco GmbH
> Geschäftsführer: Michael Mörchen
> Amtsgericht Hamburg, HRB 76048
> Ust.Ident-Nr.:DE208833022
>
> Haftungsausschluss: Diese Nachricht ist ausschließlich für die Person
> oder Einheit bestimmt, an die sie gerichtet ist. Sie enthält unter
> Umständen Informationen, die unter geltendem Recht vertraulich,
> gesetzlich geschützt oder von der Offenlegung ausgeschlossen sind. Falls
> Sie nicht der vorgesehene Empfänger oder verantwortlich für die
> Weiterleitung dieser Nachricht an den vorgesehenen Empfänger sind, ist
> es Ihnen strengstens untersagt, diese Nachricht offenzulegen, zu
> verteilen, zu kopieren oder in irgendeiner Art zu benutzen. Sollten Sie
> diese Nachricht versehentlich erhalten haben, benachrichtigen Sie bitte
> den Absender und löschen und vernichten Sie jegliche Kopie davon, die
> Sie möglicherweise erhalten haben.
>
> Disclaimer: This message is intended only for the use of the individual
> or entity to which it is addressed and may contain information which is
> privileged, confidential, proprietary, or exempt from disclosure under
> applicable law. If you are not the intended recipient or the person
> responsible for delivering the message to the intended recipient, you
> are strictly prohibited from disclosing, distributing, copying, or in
> any way using this message. If you have received this communication in
> error, please notify the sender and destroy and delete any copies you
> may have received.
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
--
--
Brian Rectanus
Breach Security
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
RSS Feed