Login/Register
Edit Cookie HttpOnly value
Asked Answered
Solved apachemod-rewritecookieshttponlycookie-httponly
S

1

2

Due to PCI regulations, most cookies in my application need to be secure and httponly. I have achieved that through this line in my Apache config file:

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

However this breaks part of the application where a single cookie, let's call it foobar, must be read by javascript. Therefore I need to remove the httponly for this cookie only.

I've played around with several approaches including mod_rewrite but I can't get the httponly to drop off the cookie. I don't want to reset the value of the cookie etc, just take off the httponly part.

E.g. Header always edit Set-Cookie ^(foobar=.*)$ $1 (doesn't work)

Suffruticose answered 15/12, 2016 at 21:49 Comment(2)
What is the apache version?Tefillin
2.4.23. I'll try your answer now and get back to you. Thanks!Suffruticose
T
4

Try this:

Header edit Set-Cookie ^((?!foobar=).*)$ $1;HttpOnly;Secure
Tefillin answered 16/12, 2016 at 9:47 Comment(7)
When I tried this, none of the cookies get HttpOnly or Secure added. I guess it didn't like the regex?Suffruticose
Indeed it was off the top of my head, but I did expect it to work. I'll try to test and see what's wrong.Tefillin
Try the modified directive please (always removed, and modified regex)Tefillin
It also works with "always". So it may have been a bad regex before.Alburga
@Alburga where do we need to add the above code?Nietzsche
in your Apache config fileTefillin
If you need to conditionally modify the content of 'Set-Cookie' header, you might also be interested by this proposed solution: https://mcmap.net/q/542500/-add-secure-and-httponly-flags-to-every-set-cookie-response-in-apache-httpdNightfall

© 2022 - 2024 — McMap. All rights reserved.