I have the following rule in web.config designed to identify and rewrite outbound session cookies with both the secure and httpOnly flags:
<rewrite>
<outboundRules>
<preConditions>
<preCondition name="MatchSessionCookies">
<add input="{RESPONSE_SET_COOKIE}" pattern="." />
</preCondition>
</preConditions>
<rule preCondition="MatchSessionCookies" name="SecureSessionCookies" enabled="true">
<match serverVariable="RESPONSE_SET_COOKIE" pattern="^(.*sess.*)=(.+)$" />
<action type="Rewrite" value="{R:1}={R:2}; httpOnly; secure" />
</rule>
</outboundRules>
</rewrite>
This works as intended, up until httpErrors comes into play:
<httpErrors>
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath="" path="/path/to/404.aspx" responseMode="ExecuteURL" />
</httpErrors>
So when accessing /a-page-that-exists.aspx, the outbound ASPSESSIONID cookies that get written out are successfully rewritten with both secure and httpOnly flags.
Request URL: /a-page-that-exists.aspx Status Code: 200 OK Set-Cookie: ASPSESSIONIDABCDEFG=...; path=/; httpOnly; secure
The problem is accessing /a-page-that-does-NOT-exist.aspx. It appears that the [404] request is internally “routed” to the ExecuteURL path and my URL rewrite rules I have in place are bypassed altogether.
Request URL: /a-page-that-does-NOT-exist.aspx Status Code: 200 OK Set-Cookie: ASPSESSIONIDABCDEFG=...; path=/
Any ideas on how to modify my outbound rewrite rules so that they can be applied to [404] requests before being handed of to my 404 handler?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Well, it looks like we have to make do with a URL Rewrite version of IIS <httpErrors /> handler, but it works:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<!-- Remove existing 404 handler -->
<httpErrors>
<remove statusCode="404" subStatusCode="-1" />
</httpErrors>
<rewrite>
<outboundRules>
<preConditions>
<preCondition name="MatchSessionCookies">
<add input="{RESPONSE_SET_COOKIE}" pattern="." />
</preCondition>
</preConditions>
<!-- Does NOT work with ExecuteURL 404 handler -->
<rule preCondition="MatchSessionCookies" name="SecureSessionCookies" enabled="true">
<match serverVariable="RESPONSE_SET_COOKIE" pattern="^(gsm|.*sess.*)=(.+)$" />
<action type="Rewrite" value="{R:1}={R:2}; httpOnly; secure" />
</rule>
</outboundRules>
<rules>
<!-- Re-implement ExecuteURL 404 handler as URL Rewrite -->
<rule name="Handle404" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAny">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
</conditions>
<action type="Rewrite" url="/path/to/404.aspx?404;{PreserveSchema:{HTTPS}}{HTTP_HOST}{UNENCODED_URL}" />
</rule>
</rules>
<rewriteMaps>
<!-- http://stackoverflow.com/a/10227936/901156 -->
<rewriteMap name="PreserveSchema" defaultValue="OFF">
<add key="ON" value="https://" />
<add key="OFF" value="http://" />
</rewriteMap>
</rewriteMaps>
</rewrite>
</system.webServer>
</configuration>
And the response:
Request URL: /a-page-that-does-NOT-exist.aspx Status Code: 200 OK Set-Cookie: ASPSESSIONIDABCDEFG=...; path=/; httpOnly; secure
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0