How to unset a cookie using .htaccess - apache

I'm using Apache; I put the following code in .htaccess to unset the Cookie header but it doesn't work:
<FilesMatch "\.(js|css|jpg|png|jpeg|gif|xml|json|txt|pdf|mov|avi|otf|woff|ico|swf)$">
RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie
</FilesMatch>
What is your solution?

Preventing the server from issuing a Set-Cookie response header for specific file types won't stop other file types setting a cookie for the domain. So the browser will still send the cookie and the benefits are lost.
Telling the server to remove a Cookie request header before passing it on to the next layer of request processing won't stop the browser from sending it in the first place. So the benefits are lost.
The article you reference in a comment says to serve your static files from a different domain.
Do that. Never write code that sets a cookie for that domain. That's all you need to do.

1 - Create a subdomain, such as static.yourwebsite.com, which is where you will deliver all your static files from
2 - Point your new subdomain to the /wp-content directory of your WordPress installation. For cPanel users, you will need to update the document root field from public_html/static to public_html/wp-content like the screenshot below.
3 - Edit your wp-config.php file to reflect the following
define("WP_CONTENT_URL", "http://static.yourwebsite.com");
define("COOKIE_DOMAIN", "www.yourwebsite.com");
4 - Run the following command in your SQL database, this will ensure all post URLs are directed to the new subdomain:
UPDATE wp_posts SET post_content = REPLACE(post_content,'www.yourwebsite.com/wp-content/','static.yourwebsite.com/')

Related

HTTPS - Cookie "HttpOnly" and "secure "

My website is running under HTTPS protocol and I use only 1 cookie (PHPSESSID). My server is Apache 2.2.22. I noticed that my cookie doesn't have the "HttpOnly" and "Secure" headers, then I tried to set it via my .htaccess :
Header set Set-Cookie HttpOnly;Secure
By the way, the .htaccess works perfectly (url rewriting, deflate, expire headers, Etags etc...). But now... my website generates 4 cookies and PHPSESSID seems not to be secure :
Am i missing something ?
.htaccess is the wrong way to go about this.
PHP has session configuration options for this, you can either set them in your PHP configuration in the usual way (php.ini, ini_set, …), or via a dedicated function call.
session.cookie_httponly and session.cookie_secure are the relevant options here.
See http://php.net/manual/en/session.configuration.php and http://php.net/manual/en/function.session-set-cookie-params.php for additional details.

How to enable 'Access-Control-Allow-Origin' header for all files in a directory of XAMPP?

I am developing a HTML5 Javascript app to get an image from my local server which runs on the same machine as the app. When I run the app on my Chrome, I got:
Access to Image at 'http://localhost/someDIrectory/1.jpg' from origin
'http://localhost:50000' has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:50000' is therefore not allowed
access.
From many questions here, the answers point out that I need to set
header("Access-Control-Allow-Origin: *");
in php file and it should work, but that is for php files... What about an image or a directory with images?
I have also came across How do I enable cross-origin resource sharing on XAMPP? and tried to add
<IfModule C:\xampp\htdocs\someDIrectory\1.jpg>
Header set Access-Control-Allow-Origin: *
</IfModule>
into httpd.conf. I tried restart XAMPP and retried the above. But the result I got is still the same.
How to correctly set up such setting for XAMPP?
Note: I am using Construct 2 which is basically exported out as an HTML5/Javascript. I am simply using Sprite Load From URL action.
Create a file called ".htaccess" in the directory of your files and add the following to the file.
Header set Access-Control-Allow-Origin "http://localhost:50000/"
You need to create the .htaccess file first and put it on your root document of application and then set it at the beginning of the file
Header set Access-Control-Allow-Origin *
Cheers,

Clear web browser cache programmatically

I am working on a website with PHP in backend and AngularJS in frontend. and it's served via apache2.4.
My problem is when I update my website to a new version some users cannot see the latest modifications, so I added this .htaccess to force cleaning the cache every 1 hour, but it doesn't work as I expected.
FileETag None
<ifModule mod_headers.c>
Header unset ETag
Header set Cache-Control "max-age=3600, must-revalidate, private"
</ifModule>
Could you give me the right cache configuration to force the browsers to get the last update whenever a new version is available?
Within your build process, you could append a query parameter to your static files such as JS / CSS like : app.js?1476109496 (where epoch is a unique reference such as deployment epoch, commit hash or similar) which would cause browsers to request a new version without needing to mess with your .htaccess.

How to append cookie value to end of response Location header with Apache?

I have a page that issues an HTTP redirect. I need to append the current session id (jsessionid) to the end of the HTTP redirect to pass this id as a GET parameter in the redirect.
Can mod_header's Header append directive pick up a cookie value via SetEnvIf?
Should a rewrite rather be involved? But mod_rewrite just rewrites the request not the response, yes?
How would you solve this from an Apache perspective without touching back-end code?
Update: the Apache-JVM is handled by either mod_jk OR via IBM HTTP Server connection to WebSphere.
As to my knowledge, with Apache HTTPd you do it like this:
SetEnvIf Cookie "mycookie=([^;]+)" MYCOOKIE=$1
SetEnvIf Cookie "mycookie=([^;]+)" HAVE_MYCOOKIE=1
Header add Set-Cookie "mycookie=%{MYCOOKIE}e; expires=0" env=HAVE_MYCOOKIE
You can also add additional cookie attributes like path and domain if you want.

How to remove a cookie in Apache

I need to remove a cookie from the HTTP request that gets to the server. Doing it on the client (that writes this cookie) or on the server (that reads it) is not an option. I have Apache 2.0 that proxies requests between client and the server, so I was hoping to remove the cookie right there in Apache using mod_rewrite.
My question is, is there a way to remove a certain cookie from the HTTP request using mod_rewrite?
If not possible to remove just one cookie then as a last resort to remove all cookies from the request?
I am open to other suggestions of how to accomplish this if mod_rewrite is not the right tool for this task.
Apache mod_rewrite allows manipulation of URLs but not of HTTP headers, however 'mod_headers' will let you do that.
So, you could use:
RequestHeader unset Cookie
This will strip all cookies from the request. I'm not sure if its possible to remove just a particular cookie using this technique.
Alternatively, you can stop cookies being passed back to the client using:
Header unset Set-Cookie
if that's more appropriate.
With Apache > 2.2.4, you could have used :
RequestHeader edit Cookie "^(.*?)ANY_COOKIE=.*?;(.*)$" $1$2
You can manage specific cookies using following statements in apache reverse proxy configurations:
To remove any specific cookie you can use:'Header add Set-Cookie "ANY_COOKIE='';expires='SOME_DATE_IN_PAST'; Max-Age=0; Path=COOKIE_PATH"'
By specifying past date, you tell the browser that the cookie has expired and browser will discard the cookie.
To add any cookie you can use:'Header add Set-Cookie "ANY_COOKIE='ANY_VALUE';expires='SOME_FUTURE_DATE'; Path=COOKIE_PATH"'
Be sure that you specify the some future date. If you do not specify any date, the cookie will be treated as session cookie.
Try using the following to remove specific cookie from request:
'RequestHeader add Cookie "ANY_COOKIE='';expires='SOME_PAST_DATE'; Path=COOKIE_PATH"'
I use this to unset all cookies (good to serve static content)
Header unset Cookie
Header unset Set-Cookie