My cookie value JSESSIONID is of the form id.bunchofstuff
My cookie value name_of_msfcookie is of the form bunchofstuff2
If the MSF cookie exists, i want to change my JSESSIONID to id.bunchofstuff2.
But how? Here is my attempt:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} name_of_msfcookie=(.*) #checks for existence of value (value can be any character or series of characters) in cookie
RewriteRule ^(.*) - [CO=JSESSIONID:JSESSIONID[7].name_of_msfcookie:.place.com]
It doesn't work - I think JSESSIONID[7].name_of_msfcookie is invalid syntax )-=. I can't think of any valid syntax to do it.
That syntax works fine for me and the cookie that gets set looks correct. This is what I see when I send a request to apache with those rules with a name_of_msfcookie=something cookie:
Set-Cookie: JSESSIONID=JSESSIONID[7].name_of_msfcookie; path=/; domain=.place.com
Vary: Cookie
Not sure if that's what you are trying to do though. Note that the [CO] flag sends the cookie to the browser.
Related
I've written this rule to add httpOnly flag to each cookie but the result was that.
What's wrong with the rule?
Header edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure"
[EDIT]
I've tried to do this treatment at backend, but it's using servlet 2.4 and jboss4. But the mininum required is servlet 3.0
Do you want to edit JSessionID header? If yes then you need to use the same Exact name in Header. i.e
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
I am currently using this htaccess to add a secure and HTTPonly
Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
but because one cookie on this Domain already has this flags, how can I only apply it to the ones that doesnt have it? Because I dont have direct access to the Server it needs to be done via a .htaccess
The following approach will check it the browser did send us the HTTPOnly and Secure Cookie. If those are not include you can set it with the Header command as usual.
<If "%{HTTP_COOKIE}" !=~ "m#HTTPOnly.*Secure#">
Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
</If>
This is only working with apache 2.4+
The Solution to this Question was this:
Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"
#Strip off double Secure or HttpOnly settings as if App and Apache sets above you can sometimes get both
Header always edit Set-Cookie (?i)^(.*);\s?Secure;?\s?(.*)?;?\s?Secure;?\s?(.*)$ "$1; $2; $3; Secure"
Header always edit Set-Cookie (?i)^(.*);\s?HttpOnly;?\s?(.*)?;?\s?HttpOnly;?\s?(.*)$ "$1; $2; $3; HttpOnly"
#Strip off double ;; settings
Header always edit* Set-Cookie (;\s?){2,} "; "
I want to redirect a old https page to new http page. I’ve tried this rule several times but it does not work:
RewriteRule ^https://www.mydomain.com/tc/page.html$ http://www.mydomain.com/index.php [L,R=301]
Any one know what is the problem?
Your rewrite rule is this:
RewriteRule ^https://www.mydomain.com/tc/page.html$ http://www.mydomain.com/index.php [L,R=301]
Change it to this:
RewriteRule ^tc/page.html$ http://www.mydomain.com/index.php [L,R=301]
Also make sure RewriteEngine is set to On & there is a https check as well:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule ^tc/page.html$ http://www.mydomain.com/index.php [L,R=301]
The issue is when you attempt to match https://www.mydomain.com/tc/page.html it will try to match your domain on top of that specific path like this:
https://www.mydomain.com/https://www.mydomain.com/tc/page.html
Which is incorrect since that would never exist.
Also,while I am not clear on what your desktop environment is, it’s generally best to not trust browsers at first when testing stuff like this. I highly recommend using curl with the -I option to return the headers of a request to fully test it uncached & away from browser quirks like this.
For example, I tested this rule on my local Mac OS X MAMP setup like this:
curl -I http://localhost:8888/tc/page.html
And the curl -I output returned is:
HTTP/1.1 301 Moved Permanently
Date: Fri, 13 Jun 2014 02:08:53 GMT
Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/0.9.8y DAV/2 PHP/5.4.10
Location: http://www.mydomain.com/index.php
Content-Type: text/html; charset=iso-8859-1
The Location: field confirms this rule works as expected.
I'm trying to change the name of a cookie that's set by an AWS ELB, but keep its value with a rewrite condition and rewrite rule.
Here's what I've managed so far:
RewriteCond %{HTTP_COOKIE} AWSELB=(^BD.*) [NC]
RewriteRule ^(.*) - [CO=SIMELB:%1:.amazonaws.com:lifetime:-1]
Obviously the RewriteRule is incorrect, but could someone help me with the right syntax?
Ok, following the comment thread, I think there's enough info to get started. Foremost, your
pattern doesn't work because of the (^BD.*) capture group, and in particular because of
the ^ anchor. Instead, capture (BD[^;]+) to grab everything up to the next ; (or the
end of the string if there isn't one).
To explicitly unset the previous cookie, other examples use the INVALID modifier, though I
cannot find the documentation for it.
Apache mod_rewrite documentation on
Cookies
RewriteCond %{HTTP_COOKIE} AWSELB=(BD[^&]+) [NC]
# Delete the old one
RewriteRule ^ - [CO=AWSELM:INVALID:.amazonaws.com:0:/:-1]
# Add the new one
# Specify your lifetime in minutes or 0 for the browser session (60 below)...
# ALso add the path
# Assumimg the -1 is for insecure cookies
RewriteRule ^ - [CO=SIMELB:%1:.amazonaws.com:60:/:-1]
For the old cookie to be successfully unset, both the domain and the path will need to
exactly match those originally set by AWS. Inspect the cookies currently being set and make
sure you match the domain & path.
And really, it isn't necessary to match BD... You could just as well do AWSELB=([^;]+) because it must only match up to the following semicolon anyway.
Addendum:
If the value is being lost, it may be because the the RewriteCond is only applied to the first subsequent matching RewriteRule. You can always just repeat the RewriteCond. This is ugly, unfortunately, but I tested it and found it to work correctly.
# no capture group the first time since you don't use it until later
RewriteCond %{HTTP_COOKIE} AWSELB=BD.+ [NC]
RewriteRule ^ - [CO=AWSELM:INVALID:.amazonaws.com:0:/:-1]
# This will continue to execute since the previous didn't have [L]
RewriteCond %{HTTP_COOKIE} AWSELB=(BD[^&]+) [NC]
RewriteRule ^ - [CO=SIMELB:%1:.amazonaws.com:60:/:-1]
(Note: you won't see the cookie value updated until a subsequent HTTP request; that is, if you tried to inspect it from your script right after setting it with Apache, the new value won't be present because the cookie header has to make a round trip back to the client)
Instead of trying to rewrite the cookie name, I tested with mod_header directives and seem to have addressed my issue with Amazon's ELB cookie breaking session affinity with another Amazon ELB.
RequestHeader edit Cookie AWSELB SIMELB
RequestHeader edit Cookie APPELB AWSELB
Header always edit Set-Cookie AWSELB APPELB
Header edit Set-Cookie AWSELB APPELB
This so far seems to work, relying on the browser to maintain the memory for me because after the retrieving the value of the first AWSELB on request, when I get the set-Cookie response back from the second AWSELB, the browser sees APPELB={value} and recalls the correct request cookie obtained from the first AWSELB.
Currently, I am using mod_cache to cache the page details of a web application.
I have the cache Vary based on User-Agent and Accept-Language, since there are different payloads for those situations.
Vary: User-Agent, Accept-Language
We have plans to have region-specific information on each page, but this is where we are trying to determine our caching strategy.
We have a cookie that persists to indicate the region we geolocated for, but obviously the cache does not vary based on this cookie.
It is possible to vary based on the value for certain cookies or headers in general? (Note I say certain cookies, as we wouldn't want the session identifier to collide with this) - something like a regex match to this:
location=(.+?);
That is possible using Apache. It can parse cookie value and pass it to custom header, then you need to Vary by this header:
# Set languageC cookie value to environment variable "siteLanguage"
RewriteCond %{HTTP_COOKIE} ^.*lunetics_locale.*$ [NC]
RewriteCond %{HTTP_COOKIE} (?:^|;\s*)lunetics_locale=([^;]*) [NC]
RewriteRule ^(.*)$ - [env=siteLanguage:%1]
# If no languageC cookie present. Set "siteLanguage" environment variable to "en"
RewriteCond %{HTTP_COOKIE} !^.*lunetics_locale.*$ [NC]
RewriteRule ^(.*)$ - [env=siteLanguage:en]
# Set enviroment variable "siteLanguage" value to custom header "SiteLanguage"
RequestHeader set X-Language "%{siteLanguage}e" env=siteLanguage
and add Vary X-Language to your response headers.
I'm not sure this is a best way, I have related question and problems with this: Is it possible to vary page caches (to have cache versions) with the same url and different cookie value (language)?