URL Rewrite Custom Header into a Cookie

by

I have a client making http requests to a WebAPI. The API’s are secured using a cookie; however, this client is unable to send cookies. This client is able to send custom http headers. So can we use the rewrite module to take a custom http header and set it as the cookie.

I have added HTTP_COOKIE as a server variable. Where I am strugling is the condition. How do I set the condition to pull a custom http header, and set it as a cookie.

EDIT
So I got the header being copied to the cookie using the rule below

            <rule name="cookie" patternSyntax="ECMAScript">
                <match url=".+" />
                <serverVariables>
                    <set name="HTTP_COOKIE" value="{C:0}" />
                </serverVariables>
                <action type="None" />
                <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                    <add input="{HTTP_ccauth}" pattern=".+" />
                </conditions>
            </rule>

Now it overwrites the cookie, so I need to append to it instead…

Contents hide
Answers:
Method 1
Method 2

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Requires two rules, one to set the cookie if there is no cookie and another to append it to the cookies if there is a cookie

<rule name="Append Auth Header to Cookies" patternSyntax="ECMAScript" stopProcessing="true">
    <match url=".+"/>
    <conditions logicalGrouping="MatchAll" trackAllCaptures="true">
        <add input="{HTTP_ccauth}" pattern="(.+)"/>
        <add input="{HTTP_COOKIE}" pattern="(.+)"/>
    </conditions>
    <serverVariables>
        <set name="HTTP_COOKIE" value="{C:1}{C:2}"/>
    </serverVariables>
    <action type="None"/>
</rule>
<rule name="Set Auth Header to Cookies" patternSyntax="ECMAScript" stopProcessing="true">
    <match url=".+"/>
    <conditions logicalGrouping="MatchAll" trackAllCaptures="true">
        <add input="{HTTP_ccauth}" pattern="(.+)"/>
    </conditions>
    <serverVariables>
        <set name="HTTP_COOKIE" value="{C:1}"/>
    </serverVariables>
    <action type="None"/>
</rule>

Method 2

In my opinion, if the WebAPI is secured by using a cookie, the client should be authenticated by the WebAPI authentication(JWT,Asp.Net identity) system instead of setting a local cache to transfer the credentials. if the client cookies could be set up by JS/Postman, the system is not secure, HttpOnly kind of cookies is advisory.
Besides, you could add a query string in the URL to determine if setting up a local cache. Please refer to the below links.
https://www.reddit.com/r/dotnet/comments/2xb6a5/is_there_a_way_to_add_a_setcookie_header_using/
https://clarify.dovetailsoftware.com/gsherman/2011/01/20/using-the-url-rewrite-module-to-set-your-cookies-to-httponly/


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x