I've written this rule to add httpOnly flag to each cookie but the result was that.
What's wrong with the rule?
Header edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure"
[EDIT]
I've tried to do this treatment at backend, but it's using servlet 2.4 and jboss4. But the mininum required is servlet 3.0
Do you want to edit JSessionID header? If yes then you need to use the same Exact name in Header. i.e
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Related
I have Apache 2.2.15 with tomcat 6, and I am trying to set the following command in Apache:
Header set Set-Cookie HttpOnly;Secure;SameSite=None
this is not working. I would really appreciate if any advice and help, since then the iFrame capability is broken.
That command is so far off it's hard to tell what your intent was.
If you're trying to modify a cookie, don't you want Header edit... here?
If you're actually trying to set a new cookie, you're missing the cookie name and value.
https://github.com/covener/apache-samesite/blob/master/samesite-global.conf
Header always edit Set-Cookie "^(?!.*(\s+|;)(?i)SameSite=)(.*)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP
Header onsuccess edit Set-Cookie "^(?!.*(\s+|;)(?i)SameSite=)(.*)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP
Header always edit Set-Cookie "(.*(\s+|;)(?i)Secure(\s+|;).*) Secure$" "$1" env=!SAMESITE_SKIP
Header onsuccess edit Set-Cookie "(.*(\s+|;)(?i)Secure(\s+|;).*) Secure$" "$1" env=!SAMESITE_SKIP
My cookie value JSESSIONID is of the form id.bunchofstuff
My cookie value name_of_msfcookie is of the form bunchofstuff2
If the MSF cookie exists, i want to change my JSESSIONID to id.bunchofstuff2.
But how? Here is my attempt:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} name_of_msfcookie=(.*) #checks for existence of value (value can be any character or series of characters) in cookie
RewriteRule ^(.*) - [CO=JSESSIONID:JSESSIONID[7].name_of_msfcookie:.place.com]
It doesn't work - I think JSESSIONID[7].name_of_msfcookie is invalid syntax )-=. I can't think of any valid syntax to do it.
That syntax works fine for me and the cookie that gets set looks correct. This is what I see when I send a request to apache with those rules with a name_of_msfcookie=something cookie:
Set-Cookie: JSESSIONID=JSESSIONID[7].name_of_msfcookie; path=/; domain=.place.com
Vary: Cookie
Not sure if that's what you are trying to do though. Note that the [CO] flag sends the cookie to the browser.
I want to process a request header using a custom rewrite map.
Therefore I want to have the content of the header in an environment variable.
I have not found a way to do that with mod_headers and/or mod_rewrite.
Any help is appriciated.
Mod_rewrite example for the request header "X-Forwarded-For":
RewriteRule .* - [E=X-Forwarded-For:%{HTTP:X-Forwarded-For}]
I would like to have Apache HTTPD return response code 200 with data of resource request via a GET instead of returning response code 304 with no data. Any one have an idea how to do that?
Thanks in advance
remove the header, add the following into the httpd.conf file
<FilesMatch "\.(filetype1|filetype2)$">
RequestHeader unset If-Modified-Since
RequestHeader unset If-None-Match
</FilesMatch>
Add the following directive to your apache config file
RequestHeader unset If-Modified-Since
This will ignore IF-Modified-Since header sent from client so you will get not 304 Not Modified response.
Don't send it any cache-related headers (If-Modified-Since, If-None-Match and friends) when making the request. This informs the server that the client doesn't cache, and makes it always return data.
I'm not sure I fully understand your question. I assume you want the provide a normal HTTP answer if the client uses a correct URL, and a default page (with status 200) when the client uses a non-existing URL.
If this is the case, it can be achieved like that:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^.*+ /dummy.html
The first line is a condition that the URL doesn't macht an existing file on the web server. If that condidition holds, the second line is executed which serves a dummy page to the client.
I need to remove a cookie from the HTTP request that gets to the server. Doing it on the client (that writes this cookie) or on the server (that reads it) is not an option. I have Apache 2.0 that proxies requests between client and the server, so I was hoping to remove the cookie right there in Apache using mod_rewrite.
My question is, is there a way to remove a certain cookie from the HTTP request using mod_rewrite?
If not possible to remove just one cookie then as a last resort to remove all cookies from the request?
I am open to other suggestions of how to accomplish this if mod_rewrite is not the right tool for this task.
Apache mod_rewrite allows manipulation of URLs but not of HTTP headers, however 'mod_headers' will let you do that.
So, you could use:
RequestHeader unset Cookie
This will strip all cookies from the request. I'm not sure if its possible to remove just a particular cookie using this technique.
Alternatively, you can stop cookies being passed back to the client using:
Header unset Set-Cookie
if that's more appropriate.
With Apache > 2.2.4, you could have used :
RequestHeader edit Cookie "^(.*?)ANY_COOKIE=.*?;(.*)$" $1$2
You can manage specific cookies using following statements in apache reverse proxy configurations:
To remove any specific cookie you can use:'Header add Set-Cookie "ANY_COOKIE='';expires='SOME_DATE_IN_PAST'; Max-Age=0; Path=COOKIE_PATH"'
By specifying past date, you tell the browser that the cookie has expired and browser will discard the cookie.
To add any cookie you can use:'Header add Set-Cookie "ANY_COOKIE='ANY_VALUE';expires='SOME_FUTURE_DATE'; Path=COOKIE_PATH"'
Be sure that you specify the some future date. If you do not specify any date, the cookie will be treated as session cookie.
Try using the following to remove specific cookie from request:
'RequestHeader add Cookie "ANY_COOKIE='';expires='SOME_PAST_DATE'; Path=COOKIE_PATH"'
I use this to unset all cookies (good to serve static content)
Header unset Cookie
Header unset Set-Cookie