Session cookies lost on redirect

Home Forums BulletProof Security Free Session cookies lost on redirect

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
  • #41858

    I have an issue with the WordPress session cookies: the BPS Security log does not have anything on it and disabling “Root Folder BulletProof Mode” and “wp-admin Folder BulletProof Mode” the problem disappears.

    There is a redirect from the WordPress WooCommerce plugin to a third party payment site then that redirects again on the WooCommerce plugin page.

    When “Root Folder BulletProof Mode” is enabled there are no more WordPress session cookies on the request: so WordPress redirect to the access page instead of the correct landing page.

    Is there something that I can do in terms of exceptions? Looking at “custom code” and in the BPS forum I couldn’t find anything similar to what I’m searching for…

    This is are the request headers when the RBM and WBM are disabled:

    Request Headers
    :method: POST
    :path: /checkout/order-pay/14272/?key=wc_order_jHlfDugeo41Lh
    :scheme: https
    accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    accept-encoding: gzip, deflate, br
    accept-language: en-US,en;q=0.9
    authorization: Basic dGVzdHVzZXI6MjAyMUlSTSQ=
    cache-control: max-age=0
    content-length: 245
    content-type: application/x-www-form-urlencoded
    cookie: wordpress_logged_in_4edc0f9072bd27514fa3943d2cd39db1=myuser%7C1653214968%7CTXrZYZBJghZ4f3Pu7N2swH4xzCS6yL6GfDI3R0OigT4%7Cef089f03da2db309f7fe6f4ede41a255307c17ad97dcc45c25becff3d9bf6d0a; wp_woocommerce_session_4edc0f9072bd27514fa3943d2cd39db1=24%7C%7C1653214970%7C%7C1653211370%7C%7Cfa6afbf6564ac8762b6840a4cd9087bf; woocommerce_items_in_cart=1; woocommerce_cart_hash=68d1016ceed1440f049c62791d148069; PaymentHash=fnz74AB_o4VU48X_7zfYyiAkqxQHGydaxJPUFNS4S0lA7t9MAg7ZVizt89nMpaImKgNplef3BUYcdSpgKtSqjdWFex5QbLfdbgRJoDxscjAeFjkYKgRLL3v_MRdvIPb1VrquPf2DMGld_co2wheCRj6O3gLSWqCrcFUmD_v5Xq3duoVBvswRckKq17mim9orFFxClz5LaQnTJA2Db7WoeAE7dsuBQuOCETkXDijsMO%2AfO8mOcpXYjydEq9LsZb8MzcVtBW__Tg6mf3JOP7DGLDD9Uir6Ihhs%2Ahw2wx5mo_H9jgH34wgQlKdjVTeFLpytTyIfnKricVEJCLWY_iKiYYGJwuu4Ju5jrvj2msWj5kemYiCl_uk590TtMecwDPy1INwFFlw1F%2AoI5kN8kPm1KJMX%2AlrekR7nMNAEGoygjBO6T2yskTLcVOzC5QQo09sgE8G5ejZRs9bCjgA7vNljFPq20zY%2AcxoEPWcADtaGQdQ6edKC70PO4YsqeBpogbltohF5Sf3d4keY%2AgFIT4z65zE0C5EdnwWeEIsqVOyyC35LWB28_ptI8xgc4Oi4fyapsCmJVOF%2AH791D3UOt4D29OwEmDkK5MX9DvYS2vFIFBiV204zN9GX%2A4eErSCC_eNrQHS5FhhCzVa9qgMpLCUPXyTonk18_baVcNVXbHzdU%2AA; PaymentKey=213212363
    dnt: 1
    sec-fetch-dest: document
    sec-fetch-mode: navigate
    sec-fetch-site: cross-site
    sec-gpc: 1
    upgrade-insecure-requests: 1
    user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36

    When RBM and WBM are enabled wordpress_logged_in_*** and wp_woocommerce_session_*** are no more present in the request headers, causing WordPress to redirect for login… and missing the correct landing page on WooCommerce.



    AITpro Admin

    The Request appears to be a POST Request in your Headers above, but that may only be when you are submitting the form and the Request back to your site is probably a GET Request.

    Are you using the BPS POST Attack Protection custom code?  If so, remove/delete it from BPS Root Custom Code.

    If you do not have any POST custom htaccess code then do the steps below to isolate and confirm the BPS root htaccess code that is causing the block.  Most likely it is a security rule in the Query String Exploits block of htaccess code.

    Copy this htaccess code below into this BPS Root Custom Code text box:  12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
    Click the Save Root Custom Code button.
    Go to the Security Modes tab page and activate Root folder BulletProof Mode.
    Test your payment site redirect.  Let me know what happens.

    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]


    No “BPS POST Attack Protection” on my configuration.

    With your custom code the payment site redirect works again.

    And it works also just commenting the two following lines:

    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 

    Since I saw some mention of a “hidden iframe”…

    Then I just excluded the payment website with this rule:

    RewriteCond %{HTTP_REFERER} thirdparty\.com.* [NC,OR]

    Is it safe enough?

    Many thanks!

    AITpro Admin

    Yep, it is safe to either comment out the iframe security rules or to create a Rewrite bypass rule.  Just remember to save your custom htaccess code changes in this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS.  So that you custom htaccess code is saved permanently.

Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.