HttpOnly and secure cookies with Apache mod_header for all cookies

apache-2.2 cookie

38,955

Maybe the problem is that the Header edit directive runs before your application produces a response, so if the application is producing the header you want to edit, that header won't yet exist at the time the directive runs.

According documentation:

Header [condition] set|append|merge|add|unset|echo|edit header [value] [replacement] [early|env=[!]variable]

The optional condition argument determines which internal table of responses headers this directive will operate against. Other components of the server may have stored their response headers in either the table that corresponds to onsuccess or the table that corresponds to always. "Always" in this context refers to whether headers you add will be sent during both a successful and unsucessful response, but if your action is a function of an existing header, you will have to read on for further complications.

The default value of onsuccess may need to be changed to always under the circumstances similar to those listed below. Note also that repeating this directive with both conditions makes sense in some scenarios because always is not a superset of onsuccess with respect to existing headers:

You're adding a header to a non-success (non-2xx) response, such as a redirect, in which case only the table corresponding to always is used in the ultimate response.

You're modifying or removing a header generated by a CGI script, in which case the CGI scripts are in the table corresponding to always
and not in the default table.

You're modifying or removing a header generated by some piece of the server but that header is not being found by the default onsuccess condition.

REF: http://httpd.apache.org/docs/2.2/mod/mod_headers.html

You can fix this by using Header always edit.

Eg.

Header always edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
Header always edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure"

I hope this help.

38,955

Jose L Martinez-Avial

Updated on September 18, 2022

Comments

Jose L Martinez-Avial over 1 year

I'm using Apache 2.2.29 for a website. The apache works both to serve pages from Drupal, and as reverse proxy to an internal application server. For security reasons we want to add the flags HttpOnly and secure to all cookies send to the clients. In order to do that I've setup the following rules in the apache

Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
Header edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure"

And that works fine, for some cookies, but others are not being modified. Looking at the reponse header I see the following:

HTTP/1.1 200 OK
Date: Thu, 20 Nov 2014 22:50:01 GMT
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 20 Nov 2014 22:50:01 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Set-Cookie: SESSbfb02014bca2e49545c2cacd8a8cfcfa=perqn1l3mn2saselmabnn4vla7; expires=Sun, 14-Dec-2014 02:23:21 GMT; path=/; domain=.www6.server.com; HttpOnly; secure
Set-Cookie: textsize=100; expires=Fri, 20-Nov-2015 22:50:02 GMT; path=/; HttpOnly; secure
X-Cnection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: TS01bd748d=015ca10fb56fc0a5579c6ad014a58a39be63cd86225d41d272c4e99ff818001921bf8a6afe8ff8786edc26a530281a2446ac250c26; Path=/
Set-Cookie: TS01ccb021=015ca10fb57273008302fba8649a42c6cd81f3c49f372d5d34fa4c31fc345f6be3c40dff1b5db114bd54174903e671f755744110dd; path=/; domain=.server.com
Set-Cookie: TS01bd748d_28=01d8892cb5da9e13891c7af98cab63f3bea0d8549b995c92d87d9b10240fcf906df41411935b1d5db889e1e5178debe05972be3916; Path=/
Content-Length: 39891

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

Only the first two cookies are being modified in order to have the flags. The other three are not. They seem to be set later, or at least they appear after the first two. I don't know why that makes a difference, but it seems to do. Any suggestions on how to fix them?

funky-future about 7 years

though this doesn't relate to the problem itself, i'm curious how the regular expression actually works. here it doesn't as one would expect: regex101.com/r/3tC5QW/3

Jose L Martinez-Avial over 9 years

I tried that approach both with always and onsuccess. Strangely, if I put always the headers don't get modified at all. With onsuccess it works the same way as without it; only the first two ones are changed.
Federico Sierra over 9 years

@JoseLMartinez-Avial You set cookies in application side? The application is in the server or you are accessing through a reverse porxy?
Jose L Martinez-Avial over 9 years

I discovered what the problem is. We are using a F5 proxy which is actually adding those cookies long after the response has been sent from the Apache. Nothing to do with the Apache. Thanks!