[Owasp-modsecurity-core-rule-set] Error in optional_rules/modsecurity_crs_43_csrf_protection.conf

Jeronimo Zucco jczucco at gmail.com
Tue Nov 30 14:05:05 EST 2010


I am upgrading my servers to the ModSecurity 2.5.13 and core
ruleset/2.0.10 and got this error in my config:

 ModSecurity: Could not set variable "session.sessionid" as the
collection does not exist.


In the default optional_rules/modsecurity_crs_43_csrf_protection.conf has:

SecMarker BEGIN_SESSION_STARTUP

SecRule REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)/'
".*" "chain,phase:1,t:none,pass,nolog,auditlog,msg:'Invalid SessionID
Submitted.',setsid:%{matched_var},setvar:tx.sessionid=%{matched_var},skipAfter:END_SESSION_STARTUP"
       SecRule SESSION:VALID "!@eq 1" "t:none"

SecAction "phase:1,t:none,nolog,pass,setuid:%{session.username},setvar:session.sessionid=%{tx.sessionid}"

SecMarker END_SESSION_STARTUP


SecRule RESPONSE_HEADERS:/Set-Cookie2?/
"(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)=([^\s]+)\;\s?)"
"chain,phase:3,t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:session.valid=1"
       SecRule SESSION:SESSIONID "(.*)"
"t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"



-- 
Jeronimo Zucco - CISSP
http://jczucco.blogspot.com


More information about the Owasp-modsecurity-core-rule-set mailing list