Hello Luca,

Looks like comma is not allowed in cookie value. Do you have control of your application and maybe encode it ?
Maybe i need to add a new directive SecCookieV0Separator for this situations.

Could you send me send the cookie string ? I'd like to see.

Thanks

Breno

On Wed, Jan 30, 2013 at 7:53 AM, Luca <superpizza@bigfoot.com> wrote:
Hi everyone.
I've got a problem with cookie separator logic.
It happens I'm receiving requests containing a cookie whose value
contains a comma character ",".
ModSec splits then this cookie in two parts, ending the first one
just before the comma.
This means the second created cookie has a name created out of
the remaining part of the original cookie value...
Unfortunately I don't have any control on how these cookies are created.
I tried setting SecCookieFormat to "1", still no difference in ModSec behavior.
Any suggestion to avoid this problem?

Here's my configuration.
ModSec 2.7.2
CoreRules: 2.2.7
Linux RHEL 6, 32 Bit

Thanks, Luca



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/