CODEWITHSUNDEEP
asp.netiisurl-rewrite-module
JoshBerke
JoshBerke

Reputation: 67148

URL Rewrite Custom Header into a Cookie

I have a client making http requests to a WebAPI. The API's are secured using a cookie; however, this client is unable to send cookies. This client is able to send custom http headers. So can we use the rewrite module to take a custom http header and set it as the cookie.

I have added HTTP_COOKIE as a server variable. Where I am strugling is the condition. How do I set the condition to pull a custom http header, and set it as a cookie.

EDIT So I got the header being copied to the cookie using the rule below

            <rule name="cookie" patternSyntax="ECMAScript">
                <match url=".+" />
                <serverVariables>
                    <set name="HTTP_COOKIE" value="{C:0}" />
                </serverVariables>
                <action type="None" />
                <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                    <add input="{HTTP_ccauth}" pattern=".+" />
                </conditions>
            </rule>

Now it overwrites the cookie, so I need to append to it instead...

Upvotes: 0

Views: 1062

Answers (2)

JoshBerke
JoshBerke

Reputation: 67148

Requires two rules, one to set the cookie if there is no cookie and another to append it to the cookies if there is a cookie

<rule name="Append Auth Header to Cookies" patternSyntax="ECMAScript" stopProcessing="true">
    <match url=".+"/>
    <conditions logicalGrouping="MatchAll" trackAllCaptures="true">
        <add input="{HTTP_ccauth}" pattern="(.+)"/>
        <add input="{HTTP_COOKIE}" pattern="(.+)"/>
    </conditions>
    <serverVariables>
        <set name="HTTP_COOKIE" value="{C:1}{C:2}"/>
    </serverVariables>
    <action type="None"/>
</rule>
<rule name="Set Auth Header to Cookies" patternSyntax="ECMAScript" stopProcessing="true">
    <match url=".+"/>
    <conditions logicalGrouping="MatchAll" trackAllCaptures="true">
        <add input="{HTTP_ccauth}" pattern="(.+)"/>
    </conditions>
    <serverVariables>
        <set name="HTTP_COOKIE" value="{C:1}"/>
    </serverVariables>
    <action type="None"/>
</rule>

Upvotes: 1

Abraham Qian
Abraham Qian

Reputation: 7532

In my opinion, if the WebAPI is secured by using a cookie, the client should be authenticated by the WebAPI authentication(JWT,Asp.Net identity) system instead of setting a local cache to transfer the credentials. if the client cookies could be set up by JS/Postman, the system is not secure, HttpOnly kind of cookies is advisory.
Besides, you could add a query string in the URL to determine if setting up a local cache. Please refer to the below links.
https://www.reddit.com/r/dotnet/comments/2xb6a5/is_there_a_way_to_add_a_setcookie_header_using/
https://clarify.dovetailsoftware.com/gsherman/2011/01/20/using-the-url-rewrite-module-to-set-your-cookies-to-httponly/

Upvotes: 0

Related Questions