Announcement

Collapse
No announcement yet.

A question about cookies

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    A question about cookies

    I have been messing around with Apache, trying to get it to rewrite https:// to http:// unless a secure authentication cookie is present, or the page requested was the login page.

    Basically, my solution works for some browsers and not others. I think it may be because the cookie is names differently in some browsers, but I'm not sure.

    Browsers that work:
    Rekonq
    FireFox (Linux)
    AOSP browser

    Browsers that go into an infinite redirect loop:
    FF for Android

    Here's the code I'm using to do the rewriting:
    Code:
    # rewrite HTTPS to HTTP unless login page or HTTPS cookie is present
    # works in FF and Rekonq on Linux, AOSP browser but not FF for Android.
    RewriteCond %{HTTP_COOKIE} !^SSESS612cb529d2dfaadfff38b8731a3a4c8a
    RewriteCond %{THE_REQUEST}     !user [NC]
    RewriteRule ^/(.*)          http://www.samhobbs.co.uk/$1 [R=permanent,L]
    I.e. rewrite to http unless a cookie with the name "SSESS612cb529d2dfaadfff38b8731a3a4c8a" was sent, or the request headers contained the string "user" (which is in the login URL path).

    Any cookie experts out there?

    It's puzzling that FF for Linux works but FF for android doesn't.


    P.S. That cookie name is the name of the secure authentication cookie for Drupal. The name is a unique string for my installation of Drupal (always the same) and although it looks like it should be secret it isn't, the secret bit is the string inside the cookie, which changes if you log in again.

    Feathers
    samhobbs.co.uk

    #2
    Is this helpful?

    http://stackoverflow.com/questions/8...-https-to-http

    Comment


      #3
      Unfortunately not, I'm quite comfortable with redirecting the whole bucket, but I can't do that because I use a CAcert SSL certificate so most people would get browser errors when they visit the site - I only want to redirect administrators I want to redirect everyone apart from administrators.

      I think my solution above works and the redirect was caused by caching errors. Perhaps if I change it to [R=302,L] the browser won't remember the redirect so if I log off (and the cookie is removed) and then visit a page again I won't end up in an eternal loop.

      I also received some drupal specific solutions on the Drupal forum:

      https://drupal.org/node/2284075
      Last edited by Feathers McGraw; Jun 17, 2014, 01:23 PM. Reason: see strike
      samhobbs.co.uk

      Comment


        #4
        Interesting use case.

        Re: caching ... I've pretty much given up on trusting whether browsers cache stuff properly. I now disable caching on all browsers on all machines.

        Comment


          #5
          But bandwidth!
          samhobbs.co.uk

          Comment


            #6
            Yeah, what about it? *muches celery*

            Comment


              #7
              Yikes! That's very speedy!

              Do you also disable caching on your mobile?
              samhobbs.co.uk

              Comment


                #8
                Most mobile browsers seem to lack the ability to disable the cache. But I do disable DNS prefetch, page prefetch, and similar predictive junk.

                Comment


                  #9
                  Originally posted by SteveRiley View Post
                  But I do disable...page prefetch, and similar predictive junk.
                  Isn't chrome the only browser that does that? I've never really been comfortable with the idea of a browser preloading pages you didn't click on, it seems like that makes CSRF attacks and other nasties so much easier.
                  samhobbs.co.uk

                  Comment


                    #10
                    Hmm, I've just re-read the early part of the conversation and my response to your link doesn't make much sense (I was tired this morning!). To clarify, the reason the solution in the link wouldn't solve my problem is because it would redirect everyone (including me), but I want to redirect everyone apart from authenticated users / people with that secure cookie, i.e. me.

                    Also, I've been testing it some more and it works for Rekonq and AOSP but not Firefox on Linux or Android.

                    The only change I made this time is to change R=permanent to R=302... so it looks like there's something different about FF, I'll look into cranking up the logging on Apache to see if I can figure out what it is.

                    Edit: this might be one for ModSecurity's debug logging, I think if I set it to 4 or higher I should get the information about cookies that I need:

                    https://github.com/SpiderLabs/ModSec...al#SecDebugLog

                    Edit AGAIN: So I just restarted my laptop after an update to FF and whereas I was getting redirected to http before despite being logged in, now everything is A-OK. I'm a little bit unsure what changed, because I cleared all private data before I shut down and it didn't seem to have an effect. More investigation tomorrow - if nothing else I'll learn something about debugging Apache & ModSecurity!
                    Last edited by Feathers McGraw; Jun 17, 2014, 02:59 PM.
                    samhobbs.co.uk

                    Comment


                      #11
                      So... I loosened the cookie regex slightly and it seems to have done the trick:

                      Code:
                      RewriteCond %{HTTP_COOKIE} !^.*SSESS612cb529d2dfaadfff38b8731a3a4c8a.*$ [NC]
                      RewriteCond %{THE_REQUEST}      !user [NC]
                      RewriteRule ^/(.*)          http://www.samhobbs.co.uk/$1 [R=302,L]
                      samhobbs.co.uk

                      Comment


                        #12
                        Originally posted by Feathers McGraw View Post
                        Isn't chrome the only browser that does that?
                        Some other Android browsers do this. Dolphin, for example.

                        Your question got me curious about Firefox. Let's see...

                        Whhaaaat?

                        network.dns.disablePrefetch
                        As of version 3.5, Firefox supports DNS prefetching. This is a feature by which Firefox proactively performs domain name resolution on both links that the user may choose to follow as well as URLs for items referenced by the document, including images, CSS, JavaScript, and so forth.

                        network.prefetch-next
                        Link prefetching is a browser mechanism, which utilizes browser idle time to download or prefetch documents that the user might visit in the near future. A web page provides a set of prefetching hints to the browser, and after the browser is finished loading the page, it begins silently prefetching specified documents and stores them in its cache.

                        Grrrr! Shame on you, Mozilla, for not surfacing these controls in the Preferences dialogs!

                        Comment


                          #13
                          Hmmm... I wonder if it restricts prefetching to certain types of connection... if it does it on HTTPS it's essentially leaking some information about the content of the page you are viewing, because your browser will do a DNS lookup for every external link in the page...?
                          samhobbs.co.uk

                          Comment


                            #14
                            Originally posted by SteveRiley View Post
                            Grrrr! Shame on you, Mozilla, for not surfacing these controls in the Preferences dialogs!
                            Thanks Steve. I've changed those settings just now.
                            Windows no longer obstructs my view.
                            Using Kubuntu Linux since March 23, 2007.
                            "It is a capital mistake to theorize before one has data." - Sherlock Holmes

                            Comment


                              #15
                              Originally posted by Feathers McGraw View Post
                              Hmmm... I wonder if it restricts prefetching to certain types of connection... if it does it on HTTPS it's essentially leaking some information about the content of the page you are viewing, because your browser will do a DNS lookup for every external link in the page...?
                              The Mozilla Developer Network page describing DNS prefetch says this about HTTPS:
                              Also, by default, prefetching of embedded link hostnames is not performed on documents loaded over HTTPS. This can be changed by setting the network.dns.disablePrefetchFromHTTPS preference to false.

                              The page about link prefetching is pretty clear that such fetches happen only if page developers include <link> tags or Link: headers. Both HTTP and HTTPS links can be prefetched. Note also the warnings about referrer headers and cookies:
                              Do prefetched requests contain a Referer: header?
                              Yes, prefetched requests include a HTTP Referer: header indicating the document from which the prefetching hint was extracted

                              Privacy implications
                              Along with the referral and URL-following implications already mentioned above, prefetching will generally cause the cookies of the prefetched site to be accessed. (For example, if you google amazon, the google results page will prefetch www.amazon.com, causing amazon cookies to be sent back and forth. You can block 3rd party cookies in Firefox, see Disabling third party cookies.)

                              We can infer from this that Google search results are full of <link> tags or Link: headers. Yet another reason to avoid Google it seems.

                              Comment

                              Working...
                              X