Cookie Access Rules
Last update:2024-04-29 17:25:31
Cookies are data stored locally on a user’s device by websites to identify users and track sessions. When users revisit the same website, the browser automatically sends the stored cookies to the server, allowing the server to manage access based on the cookie information. When a CDN PoP receives a request from a client, it checks the Cookie field in the HTTP request header and decides whether to allow or deny the request based on predefined cookie blacklists and whitelists. Implementing these cookie rules at a CDN level streamlines many processes, enhancing both the security and efficiency of handling web traffic, which ultimately improves the overall user experience.
How to Set Up the Cookie Blacklist/Whitelist
- Log in to the CDNetworks Console and select the appropriate product.
- Go to the Configuration, locate the domain you wish to configure, and click Edit Configuration
![[Feature Upgrade] Advanced Access Control](https://documents.cdnetworks.com/wcs/draft/help_doc/zh_cn/17/31790/1714283913583_image.png)
. - Navigate to Hotlinking Protection - Cookie Anti-hotlinking in the left sidebar and click Add.
- Configure the settings as follows based on your needs.
Effective Range
This defines the range of requests that Cookie rules will apply to. You can choose from the following options:
| Setting | Description |
|---|---|
| All Requests | The access control rule applies to all types of requests. |
| Only Homepage | Applies only to the root directory of the domain, such as http://domain/ or https://domain/. |
| Specified File Type | Applies only to specific types of files. You can select from the predefined file types on the left or define custom file types. Separate multiple custom types with a semicolon ;.(e.g., jpg;png). |
| Specified URI | Applies only to requests for content at a specific URI. Two URI matching options are available:Exact matching: Complete URI, including parameters.(e.g., path/index.html?abc=123). Ignore the parameter matching: URI without query parameters.(e.g., path/index.html). |
| Specified Directory | Applies to requests under specific directories. For example, /file/abc/ applies to all content under http://domain/file/abc/*.Note: Directories must start and end with /, and can only contain letters, numbers, and certain special characters (underscore, hyphen, percent sign, dot). Multiple directories are supposed to be seperated with line breaks. |
| URL Pattern | Uses regular expressions to control the range of requests that the rules will be applied to. For example, the pattern *.jpg$ ensures that access control applies to all URLs ending with .jpg. |
Cookie Type
You can configure either a Cookie blacklist or whitelist:
| Type | Description |
|---|---|
| Cookie Blacklist | Access denied if the request’s cookies contain certain content. |
| Cookie Whitelist | Allows access only if the request’s cookies contain certain content. |
Tips
You should use regular expressions to configure blacklists or whitelists. For example, the expressionGOOGLE=70238C3Ematches all requests that containGOOGLE=70238C3Ein their cookies.
The system supports only one whitelist rule. If multiple cookie rules are needed, they must all be included within this single whitelist.
Action
When the Cookie does not meet the set rules, and a request is denied by the CDN, choose whether to return an error code directly or redirect to another URL:
- Deny Access: The CDN rejects the request with a 403 error.
- Redirect URL: The CDN redirects the requests to another URL.
Allow NULL Cookie
Whether to allow access for requests with empty cookies, even if a whitelist already exists.
Priority
When multiple access control rules are configured, the CDN prioritizes them based on their numerical value, executing higher numbers first.
After you have completed setting the configurations, please click OK and then select Next to submit your settings. To minimize any potential disruptions to your production environment, we strongly recommend conducting a Pre-deploy test in a staging environment. This crucial step ensures that your configurations are accurate before they go live. Once you have verified the accuracy of the settings, click Deploy Now to implement them in the live environment. The configurations typically become effective within 3-5 minutes. For comprehensive guidance on pre-deployment testing and to verify the effectiveness of your configurations, please consult the tutorial Deploy the Configurations to Staging Environment for Validation.
Best Practices
Example 1: Configure a Cookie Blacklist
Access will be denied for all requests whose cookies contain aaa.
Another case, the access will be denied for all requests whose cookies contain bbb or ccc.
Example 2: Configure a Cookie Whitelist
For all requests, access is permitted only if the request’s cookies contain aaa or bbb.
Notes
Please DO NOT configure both Cookie blacklists and whitelists simultaneously, as this may result in all CDN access being denied, potentially disrupting your online operations. For instance, configuring both a Cookie blacklist and whitelist as shown below can lead to all access being denied.
Why would all access be denied?
- When a request carries the Cookie value
aaa, it matches the Cookie blacklist rule, and the CDN denies access. - Requests without the Cookie value
aaa, while not denied by the blacklist, fail to meet the whitelist (which only allows access for requests with the Cookie containingaaa) and are also denied.
If you need to configure both a blacklist and a whitelist, please contact our technical support for assistance to ensure proper setup.