Get Url Parameter from Request and store it in variable in apache config

Question

In my apache config, I want to allow access only when a specific url parameter matches a specific cookie.

I imagine a solution looking similar to this (in pseudocode):

param = get_url_parameter_with_a_specific_name_from_request  

if (!http_cookie_includes_a_cookie_named_<param>) {
 Require all denied
}

How can I implement that?

<If "%{QUERY_STRING} =~ /myparam=abc/> 
  <If "${HTTP_COOKIE} =~ /abc=1/">
    Require all granted
  </If>
  <Else>
    Require all denied
  </Else>
</If>
<Elseif "%{QUERY_STRING} =~ /myparam=def/> 
  <If "${HTTP_COOKIE} =~ /def=1/">
    Require all granted
  </If>
  <Else>
    Require all denied
  </Else>
</Elseif>
<Elseif "%{QUERY_STRING} =~ /myparam=ghi/> 
  <If "${HTTP_COOKIE} =~ /ghi=1/">
    Require all granted
  </If>
  <Else>
    Require all denied
  </Else>
</Elseif>
<Elseif "%{QUERY_STRING} =~ /myparam=whatever/> 
  <If "${HTTP_COOKIE} =~ /whatever=1/">
    Require all granted
  </If>
  <Else>
    Require all denied
  </Else>
</Elseif>
...

How can I write this without mentioning the whatever part specificyally but using a variable instead?

score 2 · Answer 1 · answered Sep 05 '22 at 07:30

2

I'm not quite sure if I understood your question correctly.

I used this a while ago to semi secure a site:

RewriteEngine On
# Allow access when the GET parameter t=let_me_in is set and set a cookie
<If "%{QUERY_STRING} =~ /t=let_me_in$/">
    RewriteRule ^(.*)$ "/?t=authorized" [R,CO=ALLOWED:YES:dev.example.com]
</If>
# Allow access when the cookie is set
<ElseIf "%{HTTP_COOKIE} =~ /ALLOWED/">
    RewriteRule ^(.*)$ "-" [CO=ALLOWED:YES:dev.example.com]
</ElseIf>
# Reject everybody else
<Else>
    Require all denied
</Else>

If the query string of a request contains a specific token (in this case t=let_me_in a cookie named ALLOWED is set with the value YES.

If this cookie is set the access is allowed, otherwise it is denied.

Every time an authorized request is made the cookie is set again to extend its lifetime.

answered Sep 05 '22 at 07:30

Gerald Schneider

23,274
8
57
89

My question is about whether I can obtain dynamically a value from the url parameter and then check, whether a cookie with that name exists. – Lokomotywa Sep 05 '22 at 07:35
It's about semi security as well. – Lokomotywa Sep 05 '22 at 07:36
I don't think this is possible. The only variable I can find is `%{QUERY_STRING}`, the URL parameters don't exist as separate variables. I don't see any way to split this up. – Gerald Schneider Sep 05 '22 at 07:41
If I already have both strings (query string and http cookie) in the config, there must be a way of comparing them the way I want. This is a very simple string comparison operation and apache is supposed to be very powerful. – Lokomotywa Sep 05 '22 at 07:43
It might be helpful to provide what you already have, it saves people to start from scratch. – Gerald Schneider Sep 05 '22 at 07:44
I don't have anything I can show yet. – Lokomotywa Sep 05 '22 at 07:45
I want to process a specific pattern of http requests only in case a specific url parameter value matches a cookie and deny it otherwise. – Lokomotywa Sep 05 '22 at 07:46

Get Url Parameter from Request and store it in variable in apache config

1 Answers1