Allow valid logon cookies to bypass Anubis

[Dwedit]

Well here is the feature request or idea...
If you have successfully signed into a website before, you'll have the cookies to prove it. So my idea was to skip Anubis challenges if you have correct cookies.

As for how you would to do this:

• Real user has real cookies
• Fake user could have:
  • No cookies at all (and so could a real user)
  • Make up something not null for every possible cookie requested (real user highly unlikely to do this)
  • Advanced fake user who knows which cookies are needed and will make up plausible but invalid cookies for anything necessary

First two cases are trivial to check for, the "no cookies at all" case or the "fake cookies for every possible key" case. The third case where the attacker generates plausible specific cookies would need a bit of consideration. The server could validate them, but that costs resources, but then you have to consider how many bots would be doing that. If no bots do that, then just validate the cookies and bypass the challenge for valid logon sessions.

[Xe]

Use an expression for this:

bots:
  # ...
  - name: logged-in-users
    action: ALLOW
    expression:
      all:
        - '"Cookie" in headers'
        - 'headers["Cookie"].contains("your-cookie-name")