5

I would like to change all cookies to be secure and http-only. It works fine for one cookie, but doesn't work when multiple cookies are set in response.

Apache mod_header rule should change cookies from:

Set-Cookie cookie1=value; Path=/somePath
Set-Cookie cookie2=value; Path=/somePath

to

Set-Cookie cookie1=value; Path=/somePath; Secure; Http-Only
Set-Cookie cookie2=value; Path=/somePath; Secure; Http-Only

I use mod_headers for it with following rule:

Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly

It works fine when only one cookie is set, but if there is more than one, it just removes all the following and they are not set at all.

Any help how to write mod_headers rule for multiple values? or the problem is in something else?

Juraj
  • 171
  • 1
  • 1
  • 6

2 Answers2

2

I found the answer. Problem has been in version of apache installed on server. Edit command is supported from version 2.2.4 but the version has been 2.2.3 (default on RHEL 5+). So I upgreded httpd and everything works fine.

For more about upgrading httpd on RHEL or CentOS see:

http://www.jasonlitka.com/2007/01/17/upgrading-to-httpd-224-on-rhel-centos-4/

http://www.jasonlitka.com/yum-repository/

Juraj
  • 171
  • 1
  • 1
  • 6
2

This rule would work for apache 2.2.3

Header set Set-Cookie HttpOnly;Secure
  • This doesn't seem to cause cookies to be sent with these flags, but rather just adds a value to the cookie called 'HttpOnly'...I might be wrong, but I don't think that accomplishes anything... – Matt Browne Jan 28 '16 at 22:50
  • Never mind, I think I was mistaken. I checked the headers with [this tool](http://tools.geekflare.com/seo/tool.php?id=check-headers) and it seems to have the HttpOnly setting as it should. I was confused because Chrome Developer tools and Firebug didn't seem to indicate that the cookie was HttpOnly. – Matt Browne Jan 28 '16 at 23:02
  • I agree that something is not right here. An extra cookie is being added called "HttpOnly" - At least in Apache 2.2.12. Additionally, it breaks the application because the app doesn't expect that cookie. – Phaedrus Apr 14 '16 at 13:55