You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by De Gang Thierry <de...@scarlet.be> on 2009/08/13 10:02:22 UTC

[users@httpd] How to fool a coockie with RewriteEngine

Hi all,

 

Is there a way in RewriteEngine to a fool a coockie to read the contents of
another domain whilst you're on another.

My intentions are:

 

Currently I've got in the .htaccess

 

RewriteCond   %{HTTP_HOST}                 ^www\.[^.]+\.ravenclans\.com$

RewriteRule   ^(.+)                        %{HTTP_HOST}$1          [C]

RewriteRule   ^www\.([^.]+)\.ravenclans\.com(.*)
/home/content/d/g/t/dgtnt/html/rgn_main/clans$1$2

 

#RewriteRule   %{HTTP_COOCKIE}                 ^www.\ravengames\.com/clans$

 

 

The domain assigning works w/o any problems and I can do it in another way
as well,

yet, when looking onsite, I can't log in nor use the required coockies.

The contents of the coockie are coming from ravenforums.com and it are these
contents that I need.

This the reason why I want to fool the coockie

 

I believe that this can be done with RewriteEngine.

 

Regards.

 

 

 

   De Gang Thierry

                ---

Email: de.gang.t@scarlet.be

Msn: euthanasia@scarlet.be

Mobile: (0032) 0 498/33.51.59

Phone:  (0032) 0 2/751.04.58

Website: http://www.dgtnt.be

Proud =[BBT]='r: http://www.bigbadteam.com

http://www.RavenGames.com - Your hub for all Raven Software games

 

                ---

Privacy Note:

This is a private email adress for

personal use. Any abuse of this email-

adress will be reported with a full

report to your ISP. Just think and be

smart and only use it when needed.

                ---

Re: [users@httpd] How to fool a coockie with RewriteEngine

Posted by André Warnier <aw...@ice-sa.com>.
De Gang Thierry wrote:
> Well, ravenclans.com and ravenforums.com are both on the same host and using
> the same main directories, yet each has their own directory to work with.
> Thus this doesn’t make a security breach for me.

Sorry, but that is pretty much irrelevant, since the web servers and the 
browsers and the RFCs that dictate how these things work are what they are.

Now if instead of naming your domains (and hosts) ravengames.com and 
ravenforums.com, you had named them games.raven.com and 
forums.raven.com, then you could probably do what you want.

Just in case you would have this idea, let me discourage you right away 
: you cannot set your cookie domain to just ".com".  That doesn't work 
either.


The definite authority is RFC2965 (http://tools.ietf.org/html/rfc2965).
For an easier to read version, see http://en.wikipedia.org/wiki/HTTP_cookie
which in the section "Cookie attributes" has the phrase "For security 
reasons, the cookie is accepted only if the server is a member of the 
domain specified by the domain string."


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] How to fool a coockie with RewriteEngine

Posted by De Gang Thierry <de...@scarlet.be>.
Well, ravenclans.com and ravenforums.com are both on the same host and using
the same main directories, yet each has their own directory to work with.
Thus this doesn’t make a security breach for me.

Example:
Main directory: /home/content/d/g/t/dgtnt/html/rgn_main/
Ravenforums.com: /home/content/d/g/t/dgtnt/html/rgn_main/board
Ravenclans.com: /home/content/d/g/t/dgtnt/html/rgn_main/clans

The downside is that coockies are only limited to ravengames.com and
ravenforums.com and still, all 3 domains are using the same engine to work
with.

This is the reason why I want to fool the coockie with RewriteEngine

Regards.


   De Gang Thierry
	---
Email: de.gang.t@scarlet.be
Msn: euthanasia@scarlet.be
Mobile: (0032) 0 498/33.51.59
Phone:  (0032) 0 2/751.04.58
Website: http://www.dgtnt.be
Proud =[BBT]='r: http://www.bigbadteam.com
http://www.RavenGames.com - Your hub for all Raven Software games

	---
Privacy Note:
This is a private email adress for
personal use. Any abuse of this email-
adress will be reported with a full
report to your ISP. Just think and be
smart and only use it when needed.
	---


> -----Oorspronkelijk bericht-----
> Van: André Warnier [mailto:aw@ice-sa.com]
> Verzonden: donderdag 13 augustus 2009 18:41
> Aan: users@httpd.apache.org
> Onderwerp: Re: [users@httpd] How to fool a coockie with RewriteEngine
> 
> De Gang Thierry wrote:
> > Hi all,
> >
> >
> >
> > Is there a way in RewriteEngine to a fool a coockie to read the
> contents of
> > another domain whilst you're on another.
> >
> etc..
> 
> I have not really considered the details of what you want to do, but in
> the principle I would say it cannot be done, for security reasons.
> If one site could set a cookie for any other site, then the site
> www.very-bad-guys.com could set a cookie that the browser would send
> later to the site www.all-angels.com, with whatever consequences.
> 
> However, two websites member of the same upper-level domain can set
> cookies valid for both, such as if one site is www.company.com and the
> other is anotherserver.company.com, they they both can set a cookie for
> ".company.com", and the browser would send this cookie along with any
> request to any one of the two sites.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to fool a coockie with RewriteEngine

Posted by André Warnier <aw...@ice-sa.com>.
De Gang Thierry wrote:
> Hi all,
> 
>  
> 
> Is there a way in RewriteEngine to a fool a coockie to read the contents of
> another domain whilst you're on another.
> 
etc..

I have not really considered the details of what you want to do, but in 
the principle I would say it cannot be done, for security reasons.
If one site could set a cookie for any other site, then the site 
www.very-bad-guys.com could set a cookie that the browser would send 
later to the site www.all-angels.com, with whatever consequences.

However, two websites member of the same upper-level domain can set 
cookies valid for both, such as if one site is www.company.com and the 
other is anotherserver.company.com, they they both can set a cookie for 
".company.com", and the browser would send this cookie along with any 
request to any one of the two sites.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to fool a coockie with RewriteEngine

Posted by Krist van Besien <kr...@gmail.com>.
On Thu, Aug 13, 2009 at 10:02 AM, De Gang Thierry<de...@scarlet.be> wrote:

> I believe that this can be done with RewriteEngine.

Are you certain you are even getting the cookie? Browses only send
cookies back to the domain send for the cookie, so if ravenforums.com
sets cookies with ravensforums.com as domain your host will never see
it, which pretty much precludes doing anything with it.

You can't rewrite a cookie using RewriteRules anyway. Not in the way
you think this might be possible. RewriteRules operate and change
URLs. They can change other things as a sideeffect, but not cookies.

Krist


-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org