You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sathish Vijayan <Sa...@tre.se> on 2020/10/25 01:54:50 UTC

[users@httpd] set httponly flag for only "session" cookie

Hi!

I am using form based authenciation and enabled a session cookie to store the user session with username and password as below.
And trying to set httponly flag for only "session" cookie. Please help to solve this with a configuration in apache 2.4.25 version.

AuthType form
  AuthName "TEST"
  AuthUserFile /user/passwords
  AuthGroupFile /user/groups
  AuthFormLoginRequiredLocation /login/login.html
  AuthFormFakeBasicAuth On
  Session On
  SessionCryptoPassphrase secret
  SessionCookieName session path=/;httponly;secure;
    Require valid-user

Developer tool:

[cid:image003.jpg@01D6AA7A.33F42A60]

Please note: I don't want to set the httponly flag for other cookies. I tried the below but It enables the httponly flag for all cookies, while browsing the webpage :

<IfModule headers_module>
  Header edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure"
  Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"

Or

  Header edit Set-Cookie ^(.*)$ $1;HttpOnly;secure
</IfModule>

Regards,
Sathish Vijayan



Det h?r e-postmeddelandet kan inneh?lla personuppgifter om dig som s?ndare eller mottagare samt om andra personer. Information om hur vi p? Tre behandlar personuppgifter finns att l?sa p? www.tre.se/gdpr.

Re: [users@httpd] set httponly flag for only "session" cookie

Posted by Sathish Vijayan <Sa...@tre.se>.
Thanks it worked for me! :-)



________________________________
From: Eric Covener <co...@gmail.com>
Sent: Sunday, October 25, 2020, 9:29 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] set httponly flag for only "session" cookie


CAUTION: External email. Please do not click on links/attachments unless you recognize the sender.


try adapting the commented example here for samesite: https://github.com/covener/apache-samesite/blob/master/samesite-global.conf

On Sat, Oct 24, 2020 at 10:01 PM Sathish Vijayan <Sa...@tre.se>> wrote:
Hi!

I am using form based authenciation and enabled a session cookie to store the user session with username and password as below.
And trying to set httponly flag for only “session” cookie. Please help to solve this with a configuration in apache 2.4.25 version.

AuthType form
  AuthName "TEST"
  AuthUserFile /user/passwords
  AuthGroupFile /user/groups
  AuthFormLoginRequiredLocation /login/login.html
  AuthFormFakeBasicAuth On
  Session On
  SessionCryptoPassphrase secret
  SessionCookieName session path=/;httponly;secure;
    Require valid-user

Developer tool:

[cid:1755edf70916917eb1]

Please note: I don’t want to set the httponly flag for other cookies. I tried the below but It enables the httponly flag for all cookies, while browsing the webpage :

<IfModule headers_module>
  Header edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure"
  Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"

Or

  Header edit Set-Cookie ^(.*)$ $1;HttpOnly;secure
</IfModule>

Regards,
Sathish Vijayan



Det här e-postmeddelandet kan innehålla personuppgifter om dig som sändare eller mottagare samt om andra personer. Information om hur vi på Tre behandlar personuppgifter finns att läsa på www.tre.se/gdpr<http://www.tre.se/gdpr>.


--
Eric Covener
covener@gmail.com<ma...@gmail.com>

Re: [users@httpd] set httponly flag for only "session" cookie

Posted by Eric Covener <co...@gmail.com>.
try adapting the commented example here for samesite:
https://github.com/covener/apache-samesite/blob/master/samesite-global.conf

On Sat, Oct 24, 2020 at 10:01 PM Sathish Vijayan <Sa...@tre.se>
wrote:

> Hi!
>
>
>
> I am using form based authenciation and enabled a session cookie to store
> the user session with username and password as below.
>
> And trying to set httponly flag for only “session” cookie. Please help to
> solve this with a configuration in apache 2.4.25 version.
>
>
>
> AuthType form
>
>   AuthName "TEST"
>
>   AuthUserFile /user/passwords
>
>   AuthGroupFile /user/groups
>
>   AuthFormLoginRequiredLocation /login/login.html
>
>   AuthFormFakeBasicAuth On
>
>   Session On
>
>   SessionCryptoPassphrase secret
>
>   SessionCookieName session path=/;httponly;secure;
>
>     Require valid-user
>
>
>
> Developer tool:
>
>
>
>
>
> Please note: I don’t want to set the httponly flag for other cookies. I
> tried the below but It enables the httponly flag for all cookies, while
> browsing the webpage :
>
>
>
> <IfModule headers_module>
>
>   Header edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure"
>
>   Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
>
>
>
> Or
>
>
>
>   Header edit Set-Cookie ^(.*)$ $1;HttpOnly;secure
>
> </IfModule>
>
>
>
> Regards,
>
> Sathish Vijayan
>
>
>
>
>
> Det här e-postmeddelandet kan innehålla personuppgifter om dig som sändare
> eller mottagare samt om andra personer. Information om hur vi på Tre
> behandlar personuppgifter finns att läsa på www.tre.se/gdpr.
>


-- 
Eric Covener
covener@gmail.com