I'm moving an old web-application written in ColdFusion to PHP5. The old app was using a cookie, and so a lot of user got it in their browsers.
The domain is the same and so PHP5 gets the old cookie in the auto-global $_COOKIE, in other words the resulting print_r( $_COOKIE ) looks like:
Array
(
[CFID] => 10753812
[CFTOKEN] => 81032420
[CFGLOBALS] => urltoken=CFID#=10753812&CFTOKEN#=81032420#lastvisit={ts \'2011-12-07 11:51:43\'}#timecreated={ts \'2011-11-28 01:19:23\'}#hitcount=3#cftoken=81032420#cfid=10753812#
)
That's overall ok, except for the application firewall ModSecurity2: autoloading $_COOKIES the firewall detect it as evil. Before with a false positive SQL injection, then with some XSS attacks matches.
I can disable those rules, but isn't the best solution (I think).
How can I check if the ColdFusion cookie exists? How can I remove old cookie from user's browser without autloloading it?
Thanks.
Solved with a specific ModSecurity2 rule and a PHP bridge page:
1) HTTP layer: when cookie is present, redirect to... In Apache's config:
SecRule REQUEST_COOKIES:CFGLOBALS !^$ "phase:1,nolog,pass,redirect:http://www.abcde.com/cookie_reset.php"
2) Application layer: so reset old cookies. In the page cookie_reset.php
<?php
setcookie ("CFID", "", time() - 3600);
setcookie ("CFTOKEN", "", time() - 3600);
setcookie ("CFGLOBALS", "", time() - 3600);
header("Location: http://www.abcde.com/");