I'm using Apache 2.2.29 for a website. The apache works both to serve pages from Drupal, and as reverse proxy to an internal application server. For security reasons we want to add the flags HttpOnly and secure to all cookies send to the clients. In order to do that I've setup the following rules in the apache
Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
Header edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure"
And that works fine, for some cookies, but others are not being modified. Looking at the reponse header I see the following:
HTTP/1.1 200 OK
Date: Thu, 20 Nov 2014 22:50:01 GMT
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 20 Nov 2014 22:50:01 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Set-Cookie: SESSbfb02014bca2e49545c2cacd8a8cfcfa=perqn1l3mn2saselmabnn4vla7; expires=Sun, 14-Dec-2014 02:23:21 GMT; path=/; domain=.www6.server.com; HttpOnly; secure
Set-Cookie: textsize=100; expires=Fri, 20-Nov-2015 22:50:02 GMT; path=/; HttpOnly; secure
X-Cnection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: TS01bd748d=015ca10fb56fc0a5579c6ad014a58a39be63cd86225d41d272c4e99ff818001921bf8a6afe8ff8786edc26a530281a2446ac250c26; Path=/
Set-Cookie: TS01ccb021=015ca10fb57273008302fba8649a42c6cd81f3c49f372d5d34fa4c31fc345f6be3c40dff1b5db114bd54174903e671f755744110dd; path=/; domain=.server.com
Set-Cookie: TS01bd748d_28=01d8892cb5da9e13891c7af98cab63f3bea0d8549b995c92d87d9b10240fcf906df41411935b1d5db889e1e5178debe05972be3916; Path=/
Content-Length: 39891
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
Only the first two cookies are being modified in order to have the flags. The other three are not. They seem to be set later, or at least they appear after the first two. I don't know why that makes a difference, but it seems to do. Any suggestions on how to fix them?