Re: [mod-security-users] processing a cookie
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] processing a cookie
|
From: Alex V. <ale...@ss...> - 2006-04-13 14:12:37
|
Hi
in the documentation, you can read this :
COOKIE_name - search cookie with name name
So, just write a rule allowing this cookie if value length is 32B and onl=
y
hexa chars :
if (as I suppose) it's for the same apps as before :
SecFilterSelective REQUEST_URI "^/mls_verifyemail.php" chain
SecFilterSelective ARGS_hash "^[0-9a-zA-Z]*" chain
SecFilterSelective COOKIE_PHPSESSID "^[0-9a-fA-F]{32}" allow
else :
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-fA-F]{32}" deny
Alex
On Jeu 13 avril 2006 4:10, joe barbish a =E9crit :
> Hello list
> In my debug log I see this.
> I know this is being created by my php session control.
> This seems to pass right through my mod_security rules untouched.
>
> Raw cookie header "PHPSESSID=3D57afe9ec2e03d155efde2b7d53171a7e"
> Adding cookie "PHPSESSID"=3D"57afe9ec2e03d155efde2b7d53171a7e"
>
> I want to have rules to check cookie name and that the argument
> PHPSESSID is there and that the content is (which looks like md5) valid
with nothing inserted.
> I do not have enough knowledge to even begin writing a rule or even =
to
> begin formulating how to ask intelligent question about processing cook=
ies.
>
> I need your help please.
>
>
> ---------------------------------
> How low will we go? Check out Yahoo! Messenger=92s low PC-to-Phone cal=
l
rates.
|
