Re: [mod-security-users] Invalid cookie format error, why?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Aditya wrote:
> With:
> 
>    SecFilterCheckCookieFormat On
> 
> we are seeing the following error:
> 
>  Cookie: DYN_CAL='fdow':null,'history':"2005/02/21/19/23",'hsize':9
>  mod_security-message: Invalid cookie format: Cookie value is missing #1
>  mod_security-action: 500
> 
> However, looking at the module code, it seems like the "=" isn't being
> matched, but I can't really tell why:

   Your cookie is in v0 format, while the mod_security 1.8.6 parser
   expects v1 format. I originally thought the 1.8.6 parser will be able
   to handle both but I was mistaken. I realized this recently (when I
   was investigating Stefan's claims, see here

   http://www.modsecurity.org/documentation/known-issues.html

   ) so that's why 1.8.7 now has two cookie parsers. It will correctly
   parse your cookie (I just tried it with 1.8.7RC1).

 >  Cookie: DYN_CAL='fdow':null,'history':"2005/02/21/19/23",'hsize':9
                               ^
   In v1 the comma is used as cookie separator, so the parser was
   expecting two cookies there.

-- 
Ivan Ristic (http://www.modsecurity.org)