I want to remove Set-Cookie : 'some cookie details' from the web server http response in that case I used below content to remove it
Header unset Set-Cookie
But this works properly if have newly added cookie there and it does not works with existing cookies I am seeing in http response.
For Example: If I use below content
Header add Set-Cookie "SomeCookie='SomeValue'"
Header unset Set-Cookie
It removes the above newly added cookie but not existing cookies. Does anybody know how to remove the existing cookie from http response of apache web server
Related
We are getting a http header secure_user from the client.We want to read it in httpd.conf
and set it as a cookie
Header edit Set-Cookie <<http header secure_user obtained in client>>
I tried following https://serverfault.com/questions/520477/set-header-in-apache-if-it-doesnt-already-exist but it doesn't help me reading specific http header
I have Apache 2.2.15 with tomcat 6, and I am trying to set the following command in Apache:
Header set Set-Cookie HttpOnly;Secure;SameSite=None
this is not working. I would really appreciate if any advice and help, since then the iFrame capability is broken.
That command is so far off it's hard to tell what your intent was.
If you're trying to modify a cookie, don't you want Header edit... here?
If you're actually trying to set a new cookie, you're missing the cookie name and value.
https://github.com/covener/apache-samesite/blob/master/samesite-global.conf
Header always edit Set-Cookie "^(?!.*(\s+|;)(?i)SameSite=)(.*)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP
Header onsuccess edit Set-Cookie "^(?!.*(\s+|;)(?i)SameSite=)(.*)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP
Header always edit Set-Cookie "(.*(\s+|;)(?i)Secure(\s+|;).*) Secure$" "$1" env=!SAMESITE_SKIP
Header onsuccess edit Set-Cookie "(.*(\s+|;)(?i)Secure(\s+|;).*) Secure$" "$1" env=!SAMESITE_SKIP
I'm using Apache; I put the following code in .htaccess to unset the Cookie header but it doesn't work:
<FilesMatch "\.(js|css|jpg|png|jpeg|gif|xml|json|txt|pdf|mov|avi|otf|woff|ico|swf)$">
RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie
</FilesMatch>
What is your solution?
Preventing the server from issuing a Set-Cookie response header for specific file types won't stop other file types setting a cookie for the domain. So the browser will still send the cookie and the benefits are lost.
Telling the server to remove a Cookie request header before passing it on to the next layer of request processing won't stop the browser from sending it in the first place. So the benefits are lost.
The article you reference in a comment says to serve your static files from a different domain.
Do that. Never write code that sets a cookie for that domain. That's all you need to do.
1 - Create a subdomain, such as static.yourwebsite.com, which is where you will deliver all your static files from
2 - Point your new subdomain to the /wp-content directory of your WordPress installation. For cPanel users, you will need to update the document root field from public_html/static to public_html/wp-content like the screenshot below.
3 - Edit your wp-config.php file to reflect the following
define("WP_CONTENT_URL", "http://static.yourwebsite.com");
define("COOKIE_DOMAIN", "www.yourwebsite.com");
4 - Run the following command in your SQL database, this will ensure all post URLs are directed to the new subdomain:
UPDATE wp_posts SET post_content = REPLACE(post_content,'www.yourwebsite.com/wp-content/','static.yourwebsite.com/')
In apache web proxy server we can rename a cookie like
Header edit Set-Cookie "CookieFromApplicationServer*=" "NewCookieName="
RequestHeader edit Cookie "NewCookieName[ ]*=" "CookieFromApplicationServer="
I am looking for an equivalent in nginx web proxy server. Is it possible to rename a cookie through nginx? Experts please advise.
Renaming a cookie implies that you create a new cookie, and delete existing cookie.
Creating a cookie does work. And also if you recreate the same cookie on the same domain, the value will get update. So what you can do is create the new cookie, and update the current cookie with 0 Expiry time.
Or just simply create a new cookie and don't use the old one.
Below is how you can create the cookie in Nginx.
add_header Set-Cookie "<new-name>=<value>;Domain=<domain-name>;Path=<path-name>;Max-Age=<Expire time>";
add_header Set-Cookie "<old-name>=<value>;Domain=<domain-name>;Path=<path-name>;Max-Age=0";
I need to remove a cookie from the HTTP request that gets to the server. Doing it on the client (that writes this cookie) or on the server (that reads it) is not an option. I have Apache 2.0 that proxies requests between client and the server, so I was hoping to remove the cookie right there in Apache using mod_rewrite.
My question is, is there a way to remove a certain cookie from the HTTP request using mod_rewrite?
If not possible to remove just one cookie then as a last resort to remove all cookies from the request?
I am open to other suggestions of how to accomplish this if mod_rewrite is not the right tool for this task.
Apache mod_rewrite allows manipulation of URLs but not of HTTP headers, however 'mod_headers' will let you do that.
So, you could use:
RequestHeader unset Cookie
This will strip all cookies from the request. I'm not sure if its possible to remove just a particular cookie using this technique.
Alternatively, you can stop cookies being passed back to the client using:
Header unset Set-Cookie
if that's more appropriate.
With Apache > 2.2.4, you could have used :
RequestHeader edit Cookie "^(.*?)ANY_COOKIE=.*?;(.*)$" $1$2
You can manage specific cookies using following statements in apache reverse proxy configurations:
To remove any specific cookie you can use:'Header add Set-Cookie "ANY_COOKIE='';expires='SOME_DATE_IN_PAST'; Max-Age=0; Path=COOKIE_PATH"'
By specifying past date, you tell the browser that the cookie has expired and browser will discard the cookie.
To add any cookie you can use:'Header add Set-Cookie "ANY_COOKIE='ANY_VALUE';expires='SOME_FUTURE_DATE'; Path=COOKIE_PATH"'
Be sure that you specify the some future date. If you do not specify any date, the cookie will be treated as session cookie.
Try using the following to remove specific cookie from request:
'RequestHeader add Cookie "ANY_COOKIE='';expires='SOME_PAST_DATE'; Path=COOKIE_PATH"'
I use this to unset all cookies (good to serve static content)
Header unset Cookie
Header unset Set-Cookie