I have Apache 2.2.15 with tomcat 6, and I am trying to set the following command in Apache:
Header set Set-Cookie HttpOnly;Secure;SameSite=None
this is not working. I would really appreciate if any advice and help, since then the iFrame capability is broken.
That command is so far off it's hard to tell what your intent was.
If you're trying to modify a cookie, don't you want Header edit... here?
If you're actually trying to set a new cookie, you're missing the cookie name and value.
https://github.com/covener/apache-samesite/blob/master/samesite-global.conf
Header always edit Set-Cookie "^(?!.*(\s+|;)(?i)SameSite=)(.*)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP
Header onsuccess edit Set-Cookie "^(?!.*(\s+|;)(?i)SameSite=)(.*)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP
Header always edit Set-Cookie "(.*(\s+|;)(?i)Secure(\s+|;).*) Secure$" "$1" env=!SAMESITE_SKIP
Header onsuccess edit Set-Cookie "(.*(\s+|;)(?i)Secure(\s+|;).*) Secure$" "$1" env=!SAMESITE_SKIP
Related
I've written this rule to add httpOnly flag to each cookie but the result was that.
What's wrong with the rule?
Header edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure"
[EDIT]
I've tried to do this treatment at backend, but it's using servlet 2.4 and jboss4. But the mininum required is servlet 3.0
Do you want to edit JSessionID header? If yes then you need to use the same Exact name in Header. i.e
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
I want to remove Set-Cookie : 'some cookie details' from the web server http response in that case I used below content to remove it
Header unset Set-Cookie
But this works properly if have newly added cookie there and it does not works with existing cookies I am seeing in http response.
For Example: If I use below content
Header add Set-Cookie "SomeCookie='SomeValue'"
Header unset Set-Cookie
It removes the above newly added cookie but not existing cookies. Does anybody know how to remove the existing cookie from http response of apache web server
I'm trying to modify domain for which the cookie is valid with mod_headers:
From:
ipa_session=e88331a44e20d8b5caaacb0e896029fe; Domain=internal.example.com; Path=/ipa; Expires=Tue, 13 Dec 2016 09:31:33 GMT; Secure; HttpOnly
To:ipa_session=e88331a44e20d8b5caaacb0e896029fe; Domain=example.com; Path=/ipa; Expires=Tue, 13 Dec 2016 09:31:33 GMT; Secure; HttpOnly
Mod-headers is working well, these rules work:
Header set "something" "something"
Header edit "something" "something" "somethingdifferent"
But editing "Set-Cookie" header just does nothing:
Header edit "Set-Cookie" "Domain=internal.example.com" "Domain=example.com"
Apache syntax is OK, but the rule just does nothing.
Apache package version: 2.4.18-2ubuntu3.1
Adding to Misko's response (because my account is too new to comment) the Apache docs say that the response headers come out of TWO sets of internal tables. Thus "always" is required for some things to work, and an absence of "always" is required for others to work. In my case, Ubuntu 18.04, Apache 2.4.29 I had to remove "always" for the headers to be edited coming out of PHP 7.2.
The docs seem to suggest you can have both directives to cover all bases but I have not tested that.
One has to add always before edit
Header always edit "Set-Cookie" "Domain=internal.example.com" "Domain=example.com"
For my instance, I used edit* as well (replaces all occurrences)
We recently scanned our application for open vulnerabilities and one of the report shows the chances of XSS attack because of absence of HttpOnly and Secure flag in our cookies.
So, as per the suggestion here which is to update apache configuration and add following:
<IfModule mod_headers.c>
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>
But, now we are facing an issue with our CSRF implementation saying invalid token/request because adding this line removes cookie from request headers and add Set-Cookie:JSESSIONID=9833010B7C016CBBC37F64117E4BB0BF; Path=/; HttpOnly;HttpOnly;Secure in reponse headers.
Cookie value before adding HttpOnly and Secure flag:
Cookie: csrftoken=xRbsYj0jq9lRnWoL7PC2RUoufOeLYhJsLCACSYVeArPx9d0qZg4Ox7mnmhZc0jEU; JSESSIONID=75D35C6FBF8BB5DF9DD7B0E13405E885
Set-Cookie value in response header after adding HttpOnly and Secure flag:
Set-Cookie:JSESSIONID=9833010B7C016CBBC37F64117E4BB0BF; Path=/; HttpOnly;HttpOnly;Secure
BTW, we are using Grails 2.5.4 application useToken in <g:form useToken="true"> and withForm in action implementation.
Server version: Apache/2.4.7 (Ubuntu)
Server built: Oct 14 2015 14:20:21
I would really appreciate if you could help us debug and resolve the problem.
Thanks
My Scenario
I want to add a cookie to the existing cookies sent by the user in the request header.
What I tried
So I decided to use RequestHeader directive
RequestHeader append Cookie "foo=bar"
The only problem is that RequestHeader appends the new value per definition with a comma (,) not with a semicolon (;). So my new cookies is "merged" with the old one in a strange way (probably because of the missing semicolon).
Or
RequestHeader append Cookie " foo=bar"
The request header is appended to any existing header of the same
name. When a new value is merged onto an existing header it is
separated from the existing header with a comma. This is the HTTP
standard way of giving a header multiple values. Apache Documentation
My question
Am I missing something or is RequestHeader not the right directive?
Environment: Apache/2.4.20, PHP/5.5.35, Ubuntu
It seem that using append for cookies does not work as expected.
After analysing what I actually needed, decided that setting a new RequestHeader was enough.
I think you should use the add method instead of append, also its not called Cookie, its Set-Cookie, Cookie, is just the name you see in the browser.
Header add Set-Cookie "mycookie=value; path=/; expires=Thu, 13 Dec 2018 13:31:00 -0000; HttpOnly"