Session cookies lost on redirect

Home Forums BulletProof Security Free Session cookies lost on redirect

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • May 20, 2022 at 2:33 am #41858
    emiliano
    Participant

    Hi,
    I have an issue with the WordPress session cookies: the BPS Security log does not have anything on it and disabling “Root Folder BulletProof Mode” and “wp-admin Folder BulletProof Mode” the problem disappears.

    There is a redirect from the WordPress WooCommerce plugin to a third party payment site then that redirects again on the WooCommerce plugin page.

    When “Root Folder BulletProof Mode” is enabled there are no more WordPress session cookies on the request: so WordPress redirect to the access page instead of the correct landing page.

    Is there something that I can do in terms of exceptions? Looking at “custom code” and in the BPS forum I couldn’t find anything similar to what I’m searching for…

    This is are the request headers when the RBM and WBM are disabled:

    Request Headers
:authority: test.mywebsite.com
:method: POST
:path: /checkout/order-pay/14272/?key=wc_order_jHlfDugeo41Lh
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
authorization: Basic dGVzdHVzZXI6MjAyMUlSTSQ=
cache-control: max-age=0
content-length: 245
content-type: application/x-www-form-urlencoded
cookie: wordpress_logged_in_4edc0f9072bd27514fa3943d2cd39db1=myuser%7C1653214968%7CTXrZYZBJghZ4f3Pu7N2swH4xzCS6yL6GfDI3R0OigT4%7Cef089f03da2db309f7fe6f4ede41a255307c17ad97dcc45c25becff3d9bf6d0a; wp_woocommerce_session_4edc0f9072bd27514fa3943d2cd39db1=24%7C%7C1653214970%7C%7C1653211370%7C%7Cfa6afbf6564ac8762b6840a4cd9087bf; woocommerce_items_in_cart=1; woocommerce_cart_hash=68d1016ceed1440f049c62791d148069; PaymentHash=fnz74AB_o4VU48X_7zfYyiAkqxQHGydaxJPUFNS4S0lA7t9MAg7ZVizt89nMpaImKgNplef3BUYcdSpgKtSqjdWFex5QbLfdbgRJoDxscjAeFjkYKgRLL3v_MRdvIPb1VrquPf2DMGld_co2wheCRj6O3gLSWqCrcFUmD_v5Xq3duoVBvswRckKq17mim9orFFxClz5LaQnTJA2Db7WoeAE7dsuBQuOCETkXDijsMO%2AfO8mOcpXYjydEq9LsZb8MzcVtBW__Tg6mf3JOP7DGLDD9Uir6Ihhs%2Ahw2wx5mo_H9jgH34wgQlKdjVTeFLpytTyIfnKricVEJCLWY_iKiYYGJwuu4Ju5jrvj2msWj5kemYiCl_uk590TtMecwDPy1INwFFlw1F%2AoI5kN8kPm1KJMX%2AlrekR7nMNAEGoygjBO6T2yskTLcVOzC5QQo09sgE8G5ejZRs9bCjgA7vNljFPq20zY%2AcxoEPWcADtaGQdQ6edKC70PO4YsqeBpogbltohF5Sf3d4keY%2AgFIT4z65zE0C5EdnwWeEIsqVOyyC35LWB28_ptI8xgc4Oi4fyapsCmJVOF%2AH791D3UOt4D29OwEmDkK5MX9DvYS2vFIFBiV204zN9GX%2A4eErSCC_eNrQHS5FhhCzVa9qgMpLCUPXyTonk18_baVcNVXbHzdU%2AA; PaymentKey=213212363
dnt: 1
origin: https://payment.thirdparty.com
referer: https://payment.thirdparty.com/
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: cross-site
sec-gpc: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36

    When RBM and WBM are enabled wordpress_logged_in_*** and wp_woocommerce_session_*** are no more present in the request headers, causing WordPress to redirect for login… and missing the correct landing page on WooCommerce.

    Thanks!

    Emiliano

    May 20, 2022 at 8:06 am #41860
    AITpro Admin
    Keymaster

    The Request appears to be a POST Request in your Headers above, but that may only be when you are submitting the form and the Request back to your site is probably a GET Request.

    Are you using the BPS POST Attack Protection custom code?  If so, remove/delete it from BPS Root Custom Code.

    If you do not have any POST custom htaccess code then do the steps below to isolate and confirm the BPS root htaccess code that is causing the block.  Most likely it is a security rule in the Query String Exploits block of htaccess code.

    Copy this htaccess code below into this BPS Root Custom Code text box:  12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
    Click the Save Root Custom Code button.
    Go to the Security Modes tab page and activate Root folder BulletProof Mode.
    Test your payment site redirect.  Let me know what happens.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker.
# Use BPS Custom Code to add or remove user agents temporarily or permanently from the
# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F]
# END BPSQSE BPS QUERY STRING EXPLOITS
    May 20, 2022 at 9:12 am #41861
    emiliano
    Participant

    Hi,

    No “BPS POST Attack Protection” on my configuration.

    With your custom code the payment site redirect works again.

    And it works also just commenting the two following lines:

    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]

    Since I saw some mention of a “hidden iframe”…

    Then I just excluded the payment website with this rule:

    RewriteCond %{HTTP_REFERER} thirdparty\.com.* [NC,OR]

    Is it safe enough?

    Many thanks!
    Emiliano

    May 20, 2022 at 9:38 am #41862
    AITpro Admin
    Keymaster

    Yep, it is safe to either comment out the iframe security rules or to create a Rewrite bypass rule.  Just remember to save your custom htaccess code changes in this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS.  So that you custom htaccess code is saved permanently.

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.