When working with Apache's mod_rewrite, developers often need to check for exact cookie values in RewriteCond statements. The HTTP_COOKIE server variable contains all cookies in a single string, making exact value matching surprisingly tricky.
The common approaches like:
RewriteCond %{HTTP_COOKIE} its=me [NC]
RewriteCond %{HTTP_COOKIE} ^its=me$ [NC]
fail because:
- HTTP_COOKIE contains all cookies (e.g., "session=abc123; its=me; tracking=1")
- Simple patterns might match partial values ("me" would match "memo")
- The cookie might appear anywhere in the string
The most reliable method uses regex lookaheads and lookbehinds to isolate the cookie value:
RewriteCond %{HTTP_COOKIE} (^|;\s*)its=me($|;)
This pattern ensures:
- The cookie appears at start or after semicolon
- Value is exactly "me" (case-insensitive with [NC])
- Value ends at semicolon or string end
For redirecting when cookie matches exactly:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} (^|;\s*)its=me($|;) [NC]
RewriteRule ^ /special-page [L,R=302]
For blocking requests with invalid cookies:
RewriteCond %{HTTP_COOKIE} (^|;\s*)auth_token=(correct_value)($|;) [NC]
RewriteCond %1 !^correct_value$
RewriteRule ^ - [F]
Use this diagnostic rule to test patterns without affecting users:
RewriteCond %{QUERY_STRING} ^debug-cookie-test$
RewriteCond %{HTTP_COOKIE} (^|;\s*)its=(.*?)($|;)
RewriteRule ^ - [E=MATCHED_VALUE:%2]
Header set X-Cookie-Test "%{MATCHED_VALUE}e" env=MATCHED_VALUE
Access with ?debug-cookie-test to see extracted values in response headers.
When checking multiple cookies:
- Place most common matches first
- Use [OR] flags judiciously
- Consider
directives for complex logic
For high-traffic sites, cookie-based rewrites should generally be avoided in favor of application-layer logic.
When exact matching becomes too complex:
# Using mod_setenvif
SetEnvIf Cookie "its=me([;\s]|$)" HAS_EXACT_COOKIE
# In rewrite rules
RewriteCond %{ENV:HAS_EXACT_COOKIE} =1
RewriteRule ^ /special-page [L]
Remember that mod_rewrite rules are processed before most other modules, so environment variables set by mod_setenvif won't be available in very early rewrite phases.
When working with Apache's mod_rewrite rules, matching exact cookie values in the HTTP_COOKIE string presents unique parsing challenges. The HTTP_COOKIE variable contains the entire Cookie header string, which means we need precise pattern matching to isolate specific name-value pairs.
Standard regex patterns like ^its=me$ don't work because:
Cookie: its=me; othercookie=value
Cookie: its=me2
Cookie: othercookie=value; its=me
All these scenarios break naive matching attempts.
Here's the correct pattern for exact value matching:
RewriteCond %{HTTP_COOKIE} (^|;\s*)its=me($|\s*;) [NC]
This handles all edge cases:
- Cookie at start of string (
^) - Cookie in middle (
;\s*prefix) - Cookie at end (
$) - Cookie followed by another (
\s*;suffix)
Basic exact match:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} (^|;\s*)auth_token=abc123($|\s*;) [NC]
RewriteRule ^ /protected-area [L]
Negative matching (when cookie doesn't exist or has wrong value):
RewriteCond %{HTTP_COOKIE} !(^|;\s*)session_valid=true($|\s*;) [NC]
RewriteRule ^ /login [R=302,L]
For complex scenarios with multiple cookies:
RewriteCond %{HTTP_COOKIE} (^|;\s*)user_type=admin($|\s*;) [NC]
RewriteCond %{HTTP_COOKIE} (^|;\s*)session_active=1($|\s*;) [NC]
RewriteRule ^ /admin-dashboard [L]
When dealing with many cookies:
- Place the most common failure condition first
- Use
[OR]flags judiciously - Consider
RewriteMapfor complex matching logic
Enable verbose logging with:
RewriteLog "/var/log/apache2/rewrite.log"
RewriteLogLevel 3
Watch for false positives/negatives in your pattern matching.