How to remove a cookie in Apache - apache

I need to remove a cookie from the HTTP request that gets to the server. Doing it on the client (that writes this cookie) or on the server (that reads it) is not an option. I have Apache 2.0 that proxies requests between client and the server, so I was hoping to remove the cookie right there in Apache using mod_rewrite.
My question is, is there a way to remove a certain cookie from the HTTP request using mod_rewrite?
If not possible to remove just one cookie then as a last resort to remove all cookies from the request?
I am open to other suggestions of how to accomplish this if mod_rewrite is not the right tool for this task.

Apache mod_rewrite allows manipulation of URLs but not of HTTP headers, however 'mod_headers' will let you do that.
So, you could use:
RequestHeader unset Cookie
This will strip all cookies from the request. I'm not sure if its possible to remove just a particular cookie using this technique.
Alternatively, you can stop cookies being passed back to the client using:
Header unset Set-Cookie
if that's more appropriate.

With Apache > 2.2.4, you could have used :
RequestHeader edit Cookie "^(.*?)ANY_COOKIE=.*?;(.*)$" $1$2

You can manage specific cookies using following statements in apache reverse proxy configurations:
To remove any specific cookie you can use:'Header add Set-Cookie "ANY_COOKIE='';expires='SOME_DATE_IN_PAST'; Max-Age=0; Path=COOKIE_PATH"'
By specifying past date, you tell the browser that the cookie has expired and browser will discard the cookie.
To add any cookie you can use:'Header add Set-Cookie "ANY_COOKIE='ANY_VALUE';expires='SOME_FUTURE_DATE'; Path=COOKIE_PATH"'
Be sure that you specify the some future date. If you do not specify any date, the cookie will be treated as session cookie.
Try using the following to remove specific cookie from request:
'RequestHeader add Cookie "ANY_COOKIE='';expires='SOME_PAST_DATE'; Path=COOKIE_PATH"'

I use this to unset all cookies (good to serve static content)
Header unset Cookie
Header unset Set-Cookie

Related

HTTPS - Cookie "HttpOnly" and "secure "

My website is running under HTTPS protocol and I use only 1 cookie (PHPSESSID). My server is Apache 2.2.22. I noticed that my cookie doesn't have the "HttpOnly" and "Secure" headers, then I tried to set it via my .htaccess :
Header set Set-Cookie HttpOnly;Secure
By the way, the .htaccess works perfectly (url rewriting, deflate, expire headers, Etags etc...). But now... my website generates 4 cookies and PHPSESSID seems not to be secure :
Am i missing something ?
.htaccess is the wrong way to go about this.
PHP has session configuration options for this, you can either set them in your PHP configuration in the usual way (php.ini, ini_set, …), or via a dedicated function call.
session.cookie_httponly and session.cookie_secure are the relevant options here.
See http://php.net/manual/en/session.configuration.php and http://php.net/manual/en/function.session-set-cookie-params.php for additional details.

How to unset a cookie using .htaccess

I'm using Apache; I put the following code in .htaccess to unset the Cookie header but it doesn't work:
<FilesMatch "\.(js|css|jpg|png|jpeg|gif|xml|json|txt|pdf|mov|avi|otf|woff|ico|swf)$">
RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie
</FilesMatch>
What is your solution?
Preventing the server from issuing a Set-Cookie response header for specific file types won't stop other file types setting a cookie for the domain. So the browser will still send the cookie and the benefits are lost.
Telling the server to remove a Cookie request header before passing it on to the next layer of request processing won't stop the browser from sending it in the first place. So the benefits are lost.
The article you reference in a comment says to serve your static files from a different domain.
Do that. Never write code that sets a cookie for that domain. That's all you need to do.
1 - Create a subdomain, such as static.yourwebsite.com, which is where you will deliver all your static files from
2 - Point your new subdomain to the /wp-content directory of your WordPress installation. For cPanel users, you will need to update the document root field from public_html/static to public_html/wp-content like the screenshot below.
3 - Edit your wp-config.php file to reflect the following
define("WP_CONTENT_URL", "http://static.yourwebsite.com");
define("COOKIE_DOMAIN", "www.yourwebsite.com");
4 - Run the following command in your SQL database, this will ensure all post URLs are directed to the new subdomain:
UPDATE wp_posts SET post_content = REPLACE(post_content,'www.yourwebsite.com/wp-content/','static.yourwebsite.com/')

Is it possible to rename a cookie in nginx?

In apache web proxy server we can rename a cookie like
Header edit Set-Cookie "CookieFromApplicationServer*=" "NewCookieName="
RequestHeader edit Cookie "NewCookieName[ ]*=" "CookieFromApplicationServer="
I am looking for an equivalent in nginx web proxy server. Is it possible to rename a cookie through nginx? Experts please advise.
Renaming a cookie implies that you create a new cookie, and delete existing cookie.
Creating a cookie does work. And also if you recreate the same cookie on the same domain, the value will get update. So what you can do is create the new cookie, and update the current cookie with 0 Expiry time.
Or just simply create a new cookie and don't use the old one.
Below is how you can create the cookie in Nginx.
add_header Set-Cookie "<new-name>=<value>;Domain=<domain-name>;Path=<path-name>;Max-Age=<Expire time>";
add_header Set-Cookie "<old-name>=<value>;Domain=<domain-name>;Path=<path-name>;Max-Age=0";

Apache Server: Redirection via http headers

I am trying to force browser to use https even when the user enters http URL. The idea is to use http response headers from the server. I am able to implement redirection using redirect (in site.conf) & Rewrite (which is disliked universally) but want to test out this method too.
Now I have tried adding the the following to my /etc/apache/sites-enabled/mysite.conf but despite the browser receiving the header response the user is not redirected to https (default apache page is shown):
Header set Location https://www.example.com/
Header set X-Forwarded-Proto: https
Header set Strict-Transport-Security "max-age=180; includeSubdomains"
Do I have to change anything else in the apache configuration to achieve this? (all modules are correctly loaded)
The Location header is only used for redirect responses (with a HTTP response code of 3XX) or Created responses (with a HTTP response code of 201):
https://www.rfc-editor.org/rfc/rfc7231#section-7.1.2
Just setting the header on a random page will not make the browser redirect.
When you use apache Redirect and Rewrite rules they set the response header AND add the location header. I really don't know why you'd want to do this manually.
And rewrite is not "universally disliked". It just overused when redirect would be simpler and more efficient in a lot of cases. If you need something more complicated then Rewrite is the right tool to use.
Finally you should not sent the Strict-Transport-Security header on a HTTP response (and the browser will rightly ignore it you do) but only on a HTTPS responses.

How to append cookie value to end of response Location header with Apache?

I have a page that issues an HTTP redirect. I need to append the current session id (jsessionid) to the end of the HTTP redirect to pass this id as a GET parameter in the redirect.
Can mod_header's Header append directive pick up a cookie value via SetEnvIf?
Should a rewrite rather be involved? But mod_rewrite just rewrites the request not the response, yes?
How would you solve this from an Apache perspective without touching back-end code?
Update: the Apache-JVM is handled by either mod_jk OR via IBM HTTP Server connection to WebSphere.
As to my knowledge, with Apache HTTPd you do it like this:
SetEnvIf Cookie "mycookie=([^;]+)" MYCOOKIE=$1
SetEnvIf Cookie "mycookie=([^;]+)" HAVE_MYCOOKIE=1
Header add Set-Cookie "mycookie=%{MYCOOKIE}e; expires=0" env=HAVE_MYCOOKIE
You can also add additional cookie attributes like path and domain if you want.