Good day,
I have a problem with converting a key-value pair within a request header into a cookie. The key-value pair is set in the header by a third-party custom apache module that I cannot access. It intercepts the request like so:
User requests www.my.domain.com/my-app/
Third-party module redirects to third-party site appends special_key=foo to the header of the original request.
Third-party redirects original request back to the original URL.
I want to then read the modified header in the now modified request and add the special_key=foo as a cookie.
How can this be accomplished?
I have tried to use the RewriteRule like so:
RewriteRule ^/apps/my-app/ - [CO=special_key:%{special_key}i:.my.domain.com:0:/:1:0]
In Javascript, the cookie's value is printed as cyin="i". Checking the cookie storage in firefox I see this value: cyin=i. Which is not correct.
I have also tried this method:
<FilesMatch "\.(html)$">
Header set Set-Cookie: "special_key=%{special_key}i; path=/; Domain=.my.domain.com; SameSite=Lax; Secure"
</FilesMatch>
In Javascript, the cookie's value is printed as cyin="i". Checking the cookie storage in firefox I see this value: cyin="i=96" or cyin="i=98". Which are not correct.
I can log the value of %{special_key}i, but I can't figure out how to get it into a cookie.
Perhaps the value isn't getting set by the time I want to put it in the cookie. Is there a way I can ensure that the value is set? Add one of these to my specific <LocationMatch "/apps/my-app/">?
Apologies if I've missed something obvious, I am still relatively new to using apache.
Thank you for any assistance.
Related
I have included a form which takes user's input and sets a cookie with setcookie php function while processing the form.
This works in one server, but doesn't work on other.
The server in which the cookies isn't working shows some blank httponly cookies in client's browser.
I don't know how to troubleshoot this..I can see form values are successfully being submitted in POST, but I don't know what's happening when it runs setcookie.
And yes, I am setting the cookie in before html and in headers.
My php is custom installation and is of 5.4.45 and httpd version is 2.2.
This was set in my httpd.conf file causing cookie to not work:
Header set Set-Cookie HttpOnly;Secure
I don't know the consequences of disabling it. But I have disabled it anyway temporarily, until I know what they are for.
I need to set a cookie based on a response header (as opposed to a request header). The response header is set by a SOAP call to a backend - and is out of apaches control.
I've looked into SetEnvIf, but it states that it investigate request headers only. mod_rewrite's {HTTP:parm} construct also seems to apply to request headers only.
Request coming in
Response header is generated by backend
Apache investigates respond header FooBar
Apache add Set-Cookie if the respond header FooBar value matches "string"
Any ideas out there?
It looks like this can be done with mod_headers, but unfortunately only with Apache 2.4, since expressions were only added in 2.4. You would do something like:
Header set Set-Cookie "cookie-contents-here" "expr=%{resp:Content-Type} =~ m|application/pdf|"
If you can't upgrade to 2.4, you might consider putting Varnish Cache in front of your Apache install. It's a powerful HTTP processor and can easily handle modifying the response for you. You could also implement caching with it and increase the performance of your site, but it can just be used as a pass-through HTTP processor if you don't want to do that. Perhaps there's a simpler solution but that would work.
Another option could be to put a layer in between Apache and your back-end, such as a PHP script, that handles passing the call to the back-end and modifying the headers on the way back out. Probably not great for performance though; upgrading Apache or implementing Varnish Cache would be better.
If you're using a separate back-end out of Apache's control, then you might take Apache out of the loop completely and go straight from Varnish Cache to your back-end.
Hope the ideas help.
This could be a very amateur/bad approach to what really needs to be done, but I'm currently building a platform that can be embedded on clients' websites with a script tag. That script then allows a user to input some information and send it off to an email. One of the options on there is to see a certain person's social media. What I want to do is log the social button clicks to a MySQL database.
Currently my code for the social click is a $.post to b.domain.com. I'm getting the error: XMLHttpRequest cannot load due to access control checks. This error goes away when I manually add each domain to the allow origin in .htaccess, but this would be very frustrating to have to add this for every domain a client wants to embed the script on. * can't be used because of Allow Credentials so I'm kind of stuck in my limited knowledge on this topic.
Any pointing in the right direction would be appreciated, and apologies if the question wasn't worded properly/with enough information.
This error goes away when I manually add each domain to the allow origin in .htaccess, but this would be very frustrating to have to add this for every domain a client wants to embed the script on.
* can't be used because of Allow Credentials
So instead of sending * in the response you can have the value of the Origin request header essentially just echoed to the value of the
Access-Control-Allow-Origin response header:
SetEnvIfNoCase ORIGIN (.*) ORIGIN=$1
Header always set Access-Control-Allow-Origin "%{ORIGIN}e"
That will allow requests from any origin even when the requests include credentials.
Below is an alternative way to achieve the same effect.
RewriteEngine On
RewriteCond %{HTTP:Origin} (.+)
RewriteRule . - [E=CORS_ORIGIN:%1]
Header set Access-Control-Allow-Origin %{CORS_ORIGIN}e env=CORS_ORIGIN
I'm using Apache as a reverse proxy with forms authentication.
Using SessionMaxAge I can set the cookie to expire after 24 hours.
This renders the 'max-age' attribute into the cookie.
Unfortunately Internet Explorer only accepts the 'expires' attribute.
Is there a way to, for example, rewrite the cookie before sending it the client?
Thanks in advance.
Kind regards,
Kevin
Yes, it is possible to edit both request and response headers using the header directive in mod_headers
The best approach would probably be to use Header edit Set-Cookie ^(.*)$ $1;Expires..... However, mod_headers can't do the actual Expires sting itself (it doesn't know how to produce that date format), so you will have to actually put that inside the original cookie or another header, then grab it from there and put it into the Header directive. It's quite complicated, but it is possible.
So we have a foreign site that's pulling in a cookie and login widget from our domestic site. Since the foreign site is .de, but our domestic site is .com it treats our login widget request as a third party cookie. To get around this we're using mod_header in apache 2.2 which works, but it's being set on every request. We'd like to find a way for it to only be set on responses that are setting cookies. Below is what we have currently. Is there any way to narrow it down?
Header set P3P 'CP="This is not a P3P policy! See our privacy statement here http://www.example.com/example/cms/lang/en/site/products/home/privacy-statement"
I think you actually need to set up this header on every resource on your external iframe
look here . This resolved the problem I had with P3P also