Understand that. My version of the exception means "exclude rule 981318 from checking the value of the cookie which has the name CFAUTH..."
You're version of the rule means "exclude rule 981318 from checking the name of the cookie which has the name CFAUTH..." Both versions of the exclude config are specific to that cookie name. The log you've shown suggests it's the cookie value (for cookie CFAUTH..) which is triggering the rule not the cookie NAME itself. This makes sense if the cookie value contains double quotes as that is basically what rule 981318 checks for. There's rarely a need to check the cookie name, so mostly you want to check the value. However if your cookie name included an SQL word (e.g. if your cookie was called abcTRUNCATE123 for example) then you might want to exclude the cookie name from SQL injection rules. Thanks, Barry > On 26 Apr 2016, at 20:38, Colin MacAllister <cmacallis...@probono.net> wrote: > > I'm trying to remove the rule when the cookie *name* is that CFAUTH... The > cookie value changes with each session. What the have in common are enclosing > double quotes, but I only wish to whitelist them when the cookie name is as > above. > > from my phone > > On Apr 26, 2016 3:10 PM, Barry Pollard <barry_poll...@hotmail.com> wrote: > You are whitelisting the cookie name and not its value. > > Try this: > > SecRuleUpdateTargetById 981318 "!REQUEST_COOKIES:CFAUTHORIZATION_cfadmin" > > Thanks, > Barry > > > On 26 Apr 2016, at 19:47, Colin MacAllister <cmacallis...@probono.net> > > wrote: > > > > SecRuleUpdateTargetById 981318 > > "!REQUEST_COOKIES_NAMES:CFAUTHORIZATION_cfadmin"
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
