Add HttpOnly flag to cookies on the fly with Apache?
Question
So I have a java webapp that uses tomcat with an apache proxy layer. I'm looking to make all cookies set from the app have the httpOnly flag. The problem with this is that tomcat is responsible for setting the flag from the application side and its default (in servlet api 2.5) is false. I was hoping I could set this flag for all cookies on the fly using apache.
I've been trying different combinations and the closest I have gotten is setting the last cookie passed to httpOnly which is of course wrong:
Header append Set-Cookie "; HttpOnly"
I have no way of knowing what cookies/values are going to be passed from the app. Is this even possible?
2 answers
solution1
7 2012-07-25 23:30:10
The following mod_headers rewrite has the benefit that it won't duplicate HttpOnly if it's already there, if that sort of thing matters to you:
Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
See:
- Where I originally found the above regex
- An explanation of why all those parentheses with the negative lookahead assertion , search for Finding Lines Containing or Not Containing Certain Words
- A post where I found a small improvement to the regex (search for Header edit Set-Cookie)
solution2
3 ACCPTED 2011-02-15 07:22:55
尝试以下mod_headers指令。
Header edit Set-Cookie ^(.*)$ $1;HttpOnly
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.