Reputation: 2353
IIS only serve site if cookie exists
I have a website that I don't want anyone to be able to access UNLESS... they have a valid HttpOnly cookie in their browser.
So a user logs in at www.domain.com and has an httponly cookie set in their browser. Then they get redirected to dashboard.domain.com which should show them private stuffs!
But if someone goes directy to dashboard.domain.com without first logging in, then they wont have a cookie in their request, and I want IIS to redirect them to the www site.
How can I ask IIS to check that a cookie exists (value doesn't matter, it should just exist) before serving a website? Can IIS even do that?
Upvotes: 0
Views: 1217
Answers (2)
Reputation: 2353
Goal: Redirect user if a cookie is NOT present in their request.
Solution:
- Add to web.config for IIS at root of project
- Assumes cookie is
CookieName=some_value - Matching pattern uses regex to check cookie name with any value
- The
negateproperty inverts to condition, similar to a NOT operator. redirectType="Found"is optional and is 302. Default is 301.
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect if Cookie is NOT present" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_COOKIE}" pattern="CookieName=*" negate="true"/>
</conditions>
<action type="Redirect" url="https://www.my-domain.com" redirectType="Found"/>
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
This rule is basically a wildcard for a cookie with CookieName so that if a cookie with that name has any value at all, this rule wont take effect. But if the cookie does not exist, you will be redirected to another URL.
One caveat is that there's no way to identify an HttpOnly cookie vs a browser-set cookie... :(
Sources:
Upvotes: 1
Reputation: 5245
You can use IIS Redirect Module, If the cookie exists, then it will redirect to dashboard.domain.com, Here is a example you can use as a reference.
If cookie name is _xx and value is HCjdskfds==, then you rule should be like that:
<rule name="redirect based on cookie" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_COOKIE}" pattern="_xx=HCjdskfds==" />
<add input="{HTTP_HOST}" pattern="www.domain.com" />
</conditions>
<action type="Redirect" url="http://dashboard.domain.com" />
Upvotes: 0
Related Questions
- Check if cookie exist otherwise redirect to url IIS
- SameSite cookies IIS
- How to create a cookie if it doesn't exist in asp.net?
- Redirect to specific URL if cookie exists
- Check if Cookie Exists
- Check cookies in asp.net
- How to check if a cookie exists even if it was created in another application? (using JS or C#)
- Determine if a website sets a cookie
- How can I use ASP.NET to check if cookies are enabled without having a web page?
- How do you determine cookies are disabled *without* javascript and *without* redirecting?