I'm trying to implement a Secure flag for all cookies. I'm doing this via Headers.
Here's how I did it:
Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
It successfully does its job on the first load. But on the second load, either when I refresh the browser or hit enter from the address bar, the header is no longer there and the cookies are no longer being served with the secure flag.
Is this a normal browser behaviour? What's wrong with my settings?
Thanks.
UPDATE (Still not working as expected)
- My problem is that HttpOnly and Secure flags don't stick after reloading the page. And apparently this is not normal browser behaviour. I've tested other sides and their flags are still there after reload. So this one is all me...
- Where do I put the Header edit Set-Cookie? I've tried it in the Main Config (apache.conf), I've tried it in an Include file and inside the VirtualHost. None of them seems to work.
- I also tried other variations/syntax, like
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Securebut the same issue.
UPDATE (FireBug) Tried to run it with FireBug. Checking the cookies from NET would show that the Secure and HttpOnly flags have been removed on the second load. At first load they're there. But checking from the COOKIES tab (beside Net), it shows that the Secure and HttpOnly flags are PERSISTENT. Why is that like that?
