Because the cookie isn't going to be set when the client makes its request after your (first-rule) redirect, the client will be redirected again and again.

The second rule will never ever run.

Try this:

RewriteCond $1 !^index\.php$
RewriteCond $1 !^login/$
RewriteCond %{HTTP_COOKIE} !^([^&]*&)*access=granted(&.*)?$ [NC]
RewriteRule ^controlpanel/(.*)$ http://example.com/controlpanel/login/ [NC,R=302,L]
#
RewriteRule ^controlpanel/login/$ controlpanel/index.php [NC,L] 

This prevents a second redirect after the first one redirects the client to "/controlpanel/login/" and also prevents the redirect after you rewrite to '/controlpanel/index.php"

The tweaks to the cookie test are for pattern efficiency and specificity; Always avoid ".*" patterns when a more-specific pattern can be used.

If the correction above helps, then you can combine the first two RewriteConds using a "local OR" in the pattern itself.

Jim

Thanks. However, it seems to always redirect now to /login/ whether the cookie is set or not.

The difference between your original cookie-testing pattern and the one I posted is that your pattern would accept "foo=bar&junkaccess=granted-you-bet&more-stuff=yes", while mine would allow only exactly "access=granted" between the two ampersands.

In neither case are any preceding or following cookie parameters required, but the pattern I suggested only matches exactly "access=granted" between any additional ampersand-delimited parameters that *are* present in the cookie. If you use something else such as semicolons, commas, or underscores to delimit multiple arguments in your cookie, then replace the ampersands in the pattern with that character.

If on the other hand there is never anything but the one parameter in that cookie, then use an exact-match pattern like ^access=granted$ instead of "^.*access=granted.*$" or the pattern I suggested above.

Also, be sure to completely-flush (delete) your browser cache before testing any new server-side code.

Jim