What Apache version is the new server on? The "Order" directive is still recognized in 2.4, but only if you've got mod_compat (which, as its name indicates, was created solely to keep existing rules with 2.2 syntax from malfunctioning).

When you say "host" do you mean the content of the "Host" header, i.e. your own hostname? Ordinarily you'd express this as a negative: if they're looking for the wrong hostname--any wrong hostname--lock 'em out.

What is the intended action when a request matches neither the "allow" nor the "deny" conditions? Is the intention here to admit requests with the specific cookie, even if they would otherwise be blocked due to sending the wrong Host header?

Have you checked your request headers to verify that the "Host" and "Cookie" headers are coming through as intended?

As always: what does "does not work" mean? I realize it is intuitively obvious to you, but it isn't obvious to everyone else.

Hello Lucy,

Thanks for the reply.

I am checking the Apache version as I did find the change to Require and need to read up on this.

When I upload a change I have a test site on the same server so that I can check that everything is working 100% before I alter the live site. I use the same .htaccess file for both sites so I block access to the test site from everyone but allow myself in with a cookie hence looking for my own dev site. Maybe I should change this to 'if not my live site then block'.

On checking with PHP, the env's set in Apache are coming through in the $_SERVER array but I have an empty $_ENV array.

My intention is to block anyone accessing the site apart from me with my cookie so not working means I'm not being allowed in with my cookie after the site has been denied.

Thank you

Solved :)

SetEnvIf cookie "(^| )cookie=mycookievalue($|;)" pass

order deny,allow
deny from all
allow from env=pass

I am extremly curous why the change but I will probably be forever wondering. If anyone has any idea I would love to get an explanation.

Thank you for your help Lucy.

[edited by: phranque at 1:33 am (utc) on Nov 23, 2016]
[edit reason] disabled graphic smile faces using code tags [/edit]

Thanks for posting your solution. It may well save someone else a lot of time in the future!

Mack.

SetEnvIf cookie "(^| )cookie=mycookievalue($|;)" pass

order deny,allow
deny from all
allow from env=pass

I am extremely curious why the change

That makes two of us.

There are actually two changes. The other involves a change from "deny from env=blahblah" to “deny from all” -- but with an order "deny,allow" that shouldn't make a difference, and in fact it's the "allow" part that's relevant.

The significant change is from

cookie=mycookievalue

to

(^| )cookie=mycookievalue($|;)

:: detour to check something ::

Ah. Multiple cookies in the "Cookie" header are separated by "; " (semicolon, space).

It's analogous to the formulation you'd use in, for example, looking at query strings in mod_rewrite, where you might say (^|&)parameter=value(&|$) if you needed to constrain name and value to exact strings, and the whole thing might occur initially, medially or finally. But there the parenthesized bits are optional--at least I always thought they were--because anchors are only relevant if some parameters have overlapping names, or if it's important to consider the full and exact value.

To appease everyone's curiosity, would you care to do a bit more experimenting? Verify that both anchors--before (^| ) and after ($|;)--are necessary in order to make the rule work. It's possible that a newer Apache version has changed the way it interprets the Cookie header, though you'd think they would say so somewhere. Hmph.

If your host is coy about what Apache version you're on, there are some simple tests you can do to pin it down. Simplest is to check for the various versions of mod_authwhatsit, since they tend to get a new name each time.

Incidentally, if you have a fixed IP, the rule could be expressed as
Deny from all
Allow from 11.22.33.44 (your exact IP)
It doesn't have to be fixed-as-such (your ISP may charge extra, depending on connection type); it's enough if you've found by experiment that your IP hardly ever changes. This obviously will not work if you are on AOL dialup ;)

:: final smiley added to placate Forums after ruthlessly inserting [ b][ /b] everywhere else ::

Mack
I find it so frustrating to repeatedly search only to find my question without a solution so always try to post a solution if I find one.

Lucy
They weren't coy at all. Server version: Apache/2.4.23

The cookie match worked without the anchors but I wanted an exact match that's why I inserted them. Sorry for the confusion.

In my opinion, the env block was continually blocking despite the env pass instruction to allow it. Maybe this has something to do with the move over to Require. Unfortunately I am no real apache expert and dont have time to experiment with this at the moment as I am under pressure to finish a project. When I have time, ha!

I don't have a fixed/permenant IP but do have a reasonably consistent IP. Every six months or so it randomly changes so for me I am happier setting a cookie.

Thanks for your help. I really appreciate it.