I am upgrading my servers to the ModSecurity 2.5.13 and core
ruleset/2.0.10 and got this error in my config:
ModSecurity: Could not set variable "session.sessionid" as the
collection does not exist.
In the default optional_rules/modsecurity_crs_43_csrf_protection.conf has:
SecMarker BEGIN_SESSION_STARTUP
SecRule
REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)/'
".*" "chain,phase:1,t:none,pass,nolog,auditlog,msg:'Invalid SessionID
Submitted.',setsid:%{matched_var},setvar:tx.sessionid=%{matched_var},skipAfter:END_SESSION_STARTUP"
SecRule SESSION:VALID "!...@eq 1" "t:none"
SecAction
"phase:1,t:none,nolog,pass,setuid:%{session.username},setvar:session.sessionid=%{tx.sessionid}"
SecMarker END_SESSION_STARTUP
SecRule RESPONSE_HEADERS:/Set-Cookie2?/
"(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)=([^\s]+)\;\s?)"
"chain,phase:3,t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:session.valid=1"
SecRule SESSION:SESSIONID "(.*)"
"t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"
--
Jeronimo Zucco - CISSP
http://jczucco.blogspot.com
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
