Putting header value into cookie

Forum Moderators: phranque

Message Too Old, No Replies

Putting header value into cookie

dfresh4130

8:26 am on Feb 3, 2015 (gmt 0)

I'm working on a rule to create a cookie if a header exists. I know I can do this with a rewrite condition and rule. I was thinking using mod_headers may be less overhead on the server, but I'm wondering if it's possible to do this conditionally. Basically, if TEST_HEADER exists I want to create TEST_COOKIE where the value is the value of TEST_HEADER. Not sure which route is the best way to go. Also, TEST_HEADER is being set as a response header by servers in domain1.com on 301 redirects and TEST_COOKIE is being set by servers in domain2.com.

lucy24

7:50 pm on Feb 3, 2015 (gmt 0)

TEST_HEADER is being set as a response header by servers in domain1.com on 301 redirects and TEST_COOKIE is being set by servers in domain2.com

Are you saying that
"If the response header from request 1 to domain A was such-and-such, then set this-and-that cookie on request 2 to domain B"?
That would seem to be impossible, so something must be missing from the question.

Does the second URL-- the one that's a target of the 301 redirect-- also exist independently? Or will it only ever be requested by people getting redirected from the earlier URL?

dfresh4130

9:17 pm on Feb 3, 2015 (gmt 0)

Maybe I'm thinking about this wrong. I need to set a cookie on the servers the 301 redirect is sending them to. The referer would normally work fine, but in this case I need the cookie to contain some info from data only available to the servers doing the 301 redirect. My first thought is to try creating a custom header on those the servers doing the 301 and then say if that header exists create the cookie on the servers the 301 is pointing to. I wasn't sure if the header info from domainA would be available to the servers in domainB. The URLs do exist independently too.

lucy24

5:00 am on Feb 4, 2015 (gmt 0)

I keep thinking of this recent question [webmasterworld.com]. Would appending stuff to a query string-- making it an immutable part of the URL-- be an option?

dfresh4130

7:34 pm on Feb 6, 2015 (gmt 0)

Hmm, that's close, but I can't use a query string unfortunately as it'll impact SEO. What I really need is to get the original URL that was sent to the server giving the 301 redirect. I'd like to create a cookie on domainA.com with a value of the originally requested URL that domainB.com gave a 301 response on. The HTTP_REFERER would probably work in most situations, but in the event the user found their way from different URLs it would keep the original URL from the start instead of the URL that was given a 301.

lucy24

8:55 pm on Feb 6, 2015 (gmt 0)

I can't use a query string unfortunately as it'll impact SEO

Uh-oh, you've been talking to an SEO Guru. Don't do it; it addles the mind. You could always tell Google that such-and-such parameter doesn't affect page content and it should be ignored in indexing.

Setting a cookie on Site B while the user is on Site A is technically possible-- but it runs afoul of user preferences. I think most browsers now default to "accept cookies only from sites I visit".

:: detour to check something in mod_rewrite docs ::

[CO=NAME:VALUE:DOMAIN:lifetime:path:secure:httponly]

where the capitalized parts are required and the others are optional. Use this [CO] flag along with the existing R and L flags. It will get set before the browser makes its subsequent request (the one prompted by the redirect), so it should be part of the request. Since all this is happening in micro- or milliseconds, most users wouldn't even realize that the cookie for Site B is getting set before their browser has actually gone to Site B.

But the problem remains: your human user's browser may choose not to accept the cookie. What happens then?

dfresh4130

9:54 pm on Feb 6, 2015 (gmt 0)

My head is already well messed up having to deal with SEO folks. I'm able to set the cookie on domainA.com with no problems at all. I run into issues when the app on domainB.com needs to read that cookie and it can't due to security settings. I've tried creating the cookie on domainA then putting in a rewrite on domainB to change the domain of the cookie and leave everything else alone, but that doesn't work. Since I can't seem to find a way around that I'm just trying to see if it's possible to send the URL that was requested to the site giving the 301 response in a way that's visible to domainB. Below is an example of what I tried that does not work:

#domainA.com - works fine
RewriteCond %{HTTP_REFERER} (domainA\.com/.+) [NC]
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^(.*) - [CO=REDIRECTED:%{HTTP_HOST}%
{REQUEST_URI}:.domainA.com:1440:/]
RewriteCond %{HTTP_REFERER} (domainA\.com/.+) [NC]
RewriteCond %{QUERY_STRING} ^(.*)
RewriteRule ^(.*) - [CO=REDIRECTED:%{HTTP_HOST}%{REQUEST_URI}?%{QUERY_STRING}:.domainA.com:1440:/]

#domainB.com - does not work
RewriteCond %{HTTP_COOKIE} REDIRECTED=(.*)
RewriteRule ^(.*) - [CO=REDIRECTED:%1:.domainB.com:1440:/]

dfresh4130

10:56 pm on Feb 6, 2015 (gmt 0)

Basically I'm just trying to figure out if there's anything I can set on domainA.com that would include the requested URL equating to a 301 and be readable by domainB.com through apache.

lucy24

1:56 am on Feb 7, 2015 (gmt 0)

I went over and did some experimenting on my test site. I couldn't get third-party cookies to work: that is, setting a cookie for Site B while I was at Site A. Does it work on your sites? I tried a couple of different browsers, with various prefs settings. In all cases it was a silent fail: the cookie simply didn't show up.

In your examples, do the comment lines mean that the first two rulesets are located at Domain A while the third is located at Domain B?

Where do these [CO] rules occur in relation to the rules that create the redirect? I thought we were talking about a single package, with flags [R=301,CO=blahblah,L].

<tangent>
The quoted rules have more captures than they really need. And will the "Domain A" material occur on more than one host? Otherwise I don't see why the %{HTTP_HOST} part of the cookie is needed. Also, the default "path" value of a cookie is / so you need not specify this.

RewriteCond %{HTTP_REFERER} (domainA\.com/.+) [NC]
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^(.*) - [CO=REDIRECTED:%{HTTP_HOST}%{REQUEST_URI}:.domainA.com:1440:/]

can be tweaked to

RewriteCond %{HTTP_REFERER} domainA\.com/
RewriteCond %{QUERY_STRING} !.
RewriteRule .? - [CO=REDIRECTED:%{HTTP_HOST}/%{REQUEST_URI}:.domainA.com:1440]

and similarly

RewriteCond %{HTTP_REFERER} (domainA\.com/.+) [NC]
RewriteCond %{QUERY_STRING} ^(.*)
RewriteRule ^(.*) - [CO=REDIRECTED:%{HTTP_HOST}%{REQUEST_URI}?%{QUERY_STRING}:.domainA.com:1440:/]

RewriteCond %{HTTP_REFERER} domainA\.com/
RewriteCond %{QUERY_STRING} .
RewriteRule .? - [CO=REDIRECTED:%{HTTP_HOST}/%{REQUEST_URI}?%{QUERY_STRING}:.domainA.com:1440:]

I think you need a / in the cookie if you want the cookie to represent the complete URL (host plus path plus query) in the same way that you've included a ? in the second version.

The line

RewriteCond %{QUERY_STRING} ^(.*)

would seem to be flat-out wrong, because .* allows the possibility of no query. You want these two rules to be mutually exclusive, right?

Don't say [NC]: it makes extra work for the server, and adds the possibility of fake referers. Thanks to your domain-name-canonicalization redirect, any real referer will have only one form.
</tangent>