Recipe 3-5: Adding Fake Cookies
This recipe shows you how to add fake cookies and to alert if the data is ever manipulated.
Ingredients
- ModSecurity Reference Manual5
- SecRule action
- Apache Header directive
Cookie Usage
The HTTP protocol has no built-in session awareness. This means that each transaction is independent from the others. The application, therefore, needs a method to track who someone is and what actions he has previously taken (for instance, in a multistep process). Cookies were created precisely for this purpose. The application issues Set-Cookie response header data to the client web browser. This cookie data instructs the browser to send back data to the web application on subsequent requests. For instance, upon an initial request to the Facebook login page, you receive the following response headers:
HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here:
http://fb.me/p3p"
Pragma: no-cache
X-Content-Security-Policy-Report-Only: allow *;script-src https://*.
facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcd
n.net *.facebook.net *.google-analytics.com *.virtualearth.net *.goo
gle.com 127.0.0.1:* *.spotilocal.com:*;options inline-script eval-sc
ript;report-uri http://www.facebook.com/csp.php
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Set-Cookie: datr=s-5cT6A6n8yCIuluXqyQR4fw; ...Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
