mod rewrite – Verify 2 cookies with mod_rewrite before serving images

I have the following mod_rewrite rule, which works fine in my Apache 2.x on CentOS 6 Linux machine, but it is not complete:

RewriteCond %{HTTP_COOKIE} !id
RewriteCond %{REQUEST_URI} ^/sites/default/files/pictures/picture-
RewriteRule .* /images/dummy.png (L)

because I’m trying to change it in 2 ways:

  1. Actually 2 cookies (and not just 1 as above) should be present: id and auth (but I don’t know, how to do (X or Y) and Z with mod_rewrite)

  2. I’d like to verify that the value of the auth cookie is a 32 hex chars string (an MD5 hash) and that the value of id cookie is numeric.

The background is that I’ve gotten a bill for EUR 1000,- from Getty
Images, because one of the Drupal users on my server has supposedly used their picture as an avatar. I’m not looking for any lawyer or pseudo-lawyer advice here, just for the way to display a dummy image instead of real user pictures to web crawlers.

And yes, I’ve noticed in the mod_rewrite doc, that I could pass the cookie values to an external script through mod_rewrite (for verifying the MD5 hash), but I’d like to tackle this later.


I’ve come up with the following

RewriteCond %{REQUEST_URI} ^/sites/default/files/pictures/picture-
RewriteCond %{HTTP_COOKIE} !auth=(a-fA-F0-9){32} (OR)
RewriteCond %{HTTP_COOKIE} !id=(0-9)+
RewriteRule .* /images/dummy.png (L)

but I’m not sure, if the above RewriteCond‘s act as X and (Y or Z) or (X and Y) or Z