redirect or rewrite on cookie

Forum Moderators: phranque

Message Too Old, No Replies

redirect or rewrite on cookie

cookie filtering

freizag

12:57 pm on Sep 9, 2009 (gmt 0)

Hello All,

How reliable is redirecting within .htaccess based on whether the user has a cookie set(or based on the value of that cookie) for filtering or preventing content access?

Can it be circumvented in any way, for example with such apps as Curl and wget, and spiders?

I got such a great reply on a post yesterday I'd thought I'd throw this one into the pot.

Thank you in advance for any input
Freizag

jdMorgan

6:28 pm on Sep 9, 2009 (gmt 0)

It can be quite reliable, but only if the cookie value cannot be easily 'faked' -- The cookie value should be unique to the visitor, valid only for a fixed period of time, valid only within the "realm" within your site in which you want it to be considered valid, and should be generated using some non-trivial encryption method, which can and must be checked by your server.

Use a cookie value more like an encoded vehicle-identification number, and less like "This-is-my-cookie". :)

Jim

freizag

8:28 am on Sep 10, 2009 (gmt 0)

Thank you Jim, that's what I thought as well.
Best regards
Freizag