headers
Stefan Müller-Wilken | 9 May 23:57
Picon
Favicon

Re: Forcing clients to enable cookies?

Hi there, Brian,
thanks for your help! I was so locked in on the idea of using mod_security that I've spent the afternoon
hunting down the setsid+response-modification trail but this looks _by_far more elegant. Reminds me of
what they say about tools: "if you've got a hammer everything looks like a nail!"

Anyways, no need  to worry, I don't get confused too easily ;-) But then again, there indeed _IS_ one thing
that confuses me a bit: in your code snippet you nowhere actually set the cookie, right? Something along
the lines of ...

# Set environment variable and same time set a probing cookie
RewriteRule ^/your/entry/page - [E=checkcookie:1, CO=cookieprobe:yes:mydomain.com:1:/]

... would do the trick, no?

Cheers
 Stefan.

________________________________________
Von: Brian Rectanus [Brian.Rectanus <at> breach.com]
Gesendet: Freitag, 9. Mai 2008 18:59
An: Stefan Müller-Wilken
Cc: mod-security-users <at> lists.sourceforge.net
Betreff: Re: [mod-security-users] Forcing clients to enable cookies?

Stefan Müller-Wilken wrote:
> Dear all,
>
> one of my customers has introduced a security policy by which all web
> applications have to do their session handling via cookies. Rather than
> doing the boilerplate code in all web apps I'd like to check in only one
> place if client browsers allow cookies and send them to an error page if
> not.
>
> Is there a way to use mod_security to do the trick? Or would I be better
> off using mod_rewrite instead? Conceptionally I would have set a cookie,
> force a reload, and on the next access, see if the cookie is still
> there, right? But how can I do that? Would be great if someone could
> give me an idea!

ModSecurity cannot add cookies, so you would have to use mod_rewrite.
Conceptually you are correct, but it is not quite that easy because you
need to avoid a potential infinite loop of redirects if the browser does
not support cookies (ie you set a cookie and redirect, then there is no
cookie, so you repeat).  You have to redirect to a cookie test URI, then
if it is the cookie test URI, check for a cookie and then redirect back
to the correct URI.

Something like this (untested, but should give you some ideas):

### Check for a cookie + cookie test URI
RewriteCond %{HTTP_COOKIE} "!^$"
# Redirect back to the original page
RewriteRule ^/your/cookie/test/uri/(.*) $1 [R,L]

### Check for no cookie + cookie test URI
RewriteCond %{HTTP_COOKIE} "^$"
# Change the URI (internal redirect) to the error page
RewriteRule ^/your/cookie/test/uri/.* /no/cookie/error/page [L]

### No cookie on the entry page
RewriteCond %{HTTP_COOKIE} "^$"
# Set a flag stating no cookie
RewriteRule ^/your/entry/page - [E=checkcookie:1]

### Check for checkcookie flag
RewriteCond %{ENV:checkcookie} "=1"
# Redirect to the cookie test page, appending the original uri
RewriteRule ^/(.*) /your/cookie/test/uri/$1 [R,L]
# At this point the client should make another request and
# go back through the above on the cookie test uri with
# or without a cookie.

Hope that helps and just did not confuse you ;)

-B

>
> Cheers
>  Stefan.
>
>
> Resco GmbH
> Geschäftsführer: Michael Mörchen
> Amtsgericht Hamburg, HRB 76048
> Ust.Ident-Nr.:DE208833022
>
> Haftungsausschluss: Diese Nachricht ist ausschließlich für die Person
> oder Einheit bestimmt, an die sie gerichtet ist. Sie enthält unter
> Umständen Informationen, die unter geltendem Recht vertraulich,
> gesetzlich geschützt oder von der Offenlegung ausgeschlossen sind. Falls
> Sie nicht der vorgesehene Empfänger oder verantwortlich für die
> Weiterleitung dieser Nachricht an den vorgesehenen Empfänger sind, ist
> es Ihnen strengstens untersagt, diese Nachricht offenzulegen, zu
> verteilen, zu kopieren oder in irgendeiner Art zu benutzen. Sollten Sie
> diese Nachricht versehentlich erhalten haben, benachrichtigen Sie bitte
> den Absender und löschen und vernichten Sie jegliche Kopie davon, die
> Sie möglicherweise erhalten haben.
>
> Disclaimer: This message is intended only for the use of the individual
> or entity to which it is addressed and may contain information which is
> privileged, confidential, proprietary, or exempt from disclosure under
> applicable law. If you are not the intended recipient or the person
> responsible for delivering the message to the intended recipient, you
> are strictly prohibited from disclosing, distributing, copying, or in
> any way using this message. If you have received this communication in
> error, please notify the sender and destroy and delete any copies you
> may have received.
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

--
Brian Rectanus
Breach Security

Resco GmbH
Geschäftsführer: Michael Mörchen
Amtsgericht Hamburg, HRB 76048
Ust.Ident-Nr.:DE208833022

Haftungsausschluss: Diese Nachricht ist ausschließlich für die Person oder Einheit bestimmt, an die
sie gerichtet ist. Sie enthält unter Umständen Informationen, die unter geltendem Recht
vertraulich, gesetzlich geschützt oder von der Offenlegung ausgeschlossen sind. Falls Sie nicht der
vorgesehene Empfänger oder verantwortlich für die Weiterleitung dieser Nachricht an den
vorgesehenen Empfänger sind, ist es Ihnen strengstens untersagt, diese Nachricht offenzulegen, zu
verteilen, zu kopieren oder in irgendeiner Art zu benutzen. Sollten Sie diese Nachricht versehentlich
erhalten haben, benachrichtigen Sie bitte den Absender und löschen und vernichten Sie jegliche Kopie
davon, die Sie möglicherweise erhalten haben.

Disclaimer: This message is intended only for the use of the individual or entity to which it is addressed
and may contain information which is privileged, confidential, proprietary, or exempt from disclosure
under applicable law. If you are not the intended recipient or the person responsible for delivering the
message to the intended recipient, you are strictly prohibited from disclosing, distributing,
copying, or in any way using this message. If you have received this communication in error, please notify
the sender and destroy and delete any copies you may have received.

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Permalink | Reply |

Gmane