2

I am creating a gateway page that redirects visitors based on what services they are using.

How should a .htaccess rule that redirects a visitor if he has a cookie originating from the domain accounts.google.com look like?

RewriteEngine On
RewriteCond %{REQUEST_URI} /ingoing*$
RewriteCond %{HTTP_COOKIE} ?? WHAT SHOULD I PUT HERE ??[NC]
RewriteRule . example.com/outgoing [R,L]
SkyHiRider
  • 213
  • 1
  • 3
  • 8
  • possible duplicate of [Redirect, Change URLs or Redirect HTTP to HTTPS in Apache - Everything You Ever Wanted How to Know about Mod\_Rewrite Rules but Were Afraid to Ask](http://serverfault.com/questions/214512/redirect-change-urls-or-redirect-http-to-https-in-apache-everything-you-ever) – Jenny D Apr 19 '14 at 16:51

2 Answers2

9

You cannot do this because you can only see cookies from the domain that your site is on. The browser will NOT send you any cookies from other domains.

Florin Asăvoaie
  • 6,932
  • 22
  • 35
  • +1 for nice answer, If browser would allow to read cookies for cross domain then there would be major security problem. :) – Ravi Dhoriya ツ Apr 19 '14 at 06:19
  • What if I added a Google Maps iframe to my website? When I am logged into Google Maps I see my profile picture on the top right corner of the map, this could work (unless iframes have hidden cookies). – SkyHiRider Apr 19 '14 at 11:53
  • You will not be able to run your own code in that iframe (if we're talking about JS). You need to read a bit on how the HTTP protocol works. – Florin Asăvoaie Apr 19 '14 at 16:44
0

In the end you are asking for instructions for session hijacking. There are ways that might work, but once you are detected any search engine will kick your site out of their index as an attack site.

Though there is a simple solution: If you want to know if the new user found your site through Google or another search engine check the referer. Since you are using mod_rewrite search the Apache Docs for HTTP_REFERER.

Rüdiger Voigt
  • 146
  • 5
  • I want to create a gateway page - if the user is logged into Google I want him to be redirected to the Google Review page, otherwise he should be redirected to a general review page. – SkyHiRider Apr 18 '14 at 21:01
  • 1
    As Florin Asavoaie pointed out: no legal way to get that cookie. – Rüdiger Voigt Apr 18 '14 at 21:06