You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sathish Vijayan <Sa...@tre.se> on 2020/10/25 01:54:50 UTC
[users@httpd] set httponly flag for only "session" cookie
Hi!
I am using form based authenciation and enabled a session cookie to store the user session with username and password as below.
And trying to set httponly flag for only "session" cookie. Please help to solve this with a configuration in apache 2.4.25 version.
AuthType form
AuthName "TEST"
AuthUserFile /user/passwords
AuthGroupFile /user/groups
AuthFormLoginRequiredLocation /login/login.html
AuthFormFakeBasicAuth On
Session On
SessionCryptoPassphrase secret
SessionCookieName session path=/;httponly;secure;
Require valid-user
Developer tool:
[cid:image003.jpg@01D6AA7A.33F42A60]
Please note: I don't want to set the httponly flag for other cookies. I tried the below but It enables the httponly flag for all cookies, while browsing the webpage :
<IfModule headers_module>
Header edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure"
Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
Or
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;secure
</IfModule>
Regards,
Sathish Vijayan
Det h?r e-postmeddelandet kan inneh?lla personuppgifter om dig som s?ndare eller mottagare samt om andra personer. Information om hur vi p? Tre behandlar personuppgifter finns att l?sa p? www.tre.se/gdpr.
Re: [users@httpd] set httponly flag for only "session" cookie
Posted by Sathish Vijayan <Sa...@tre.se>.
Thanks it worked for me! :-)
________________________________
From: Eric Covener <co...@gmail.com>
Sent: Sunday, October 25, 2020, 9:29 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] set httponly flag for only "session" cookie
CAUTION: External email. Please do not click on links/attachments unless you recognize the sender.
try adapting the commented example here for samesite: https://github.com/covener/apache-samesite/blob/master/samesite-global.conf
On Sat, Oct 24, 2020 at 10:01 PM Sathish Vijayan <Sa...@tre.se>> wrote:
Hi!
I am using form based authenciation and enabled a session cookie to store the user session with username and password as below.
And trying to set httponly flag for only “session” cookie. Please help to solve this with a configuration in apache 2.4.25 version.
AuthType form
AuthName "TEST"
AuthUserFile /user/passwords
AuthGroupFile /user/groups
AuthFormLoginRequiredLocation /login/login.html
AuthFormFakeBasicAuth On
Session On
SessionCryptoPassphrase secret
SessionCookieName session path=/;httponly;secure;
Require valid-user
Developer tool:
[cid:1755edf70916917eb1]
Please note: I don’t want to set the httponly flag for other cookies. I tried the below but It enables the httponly flag for all cookies, while browsing the webpage :
<IfModule headers_module>
Header edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure"
Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
Or
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;secure
</IfModule>
Regards,
Sathish Vijayan
Det här e-postmeddelandet kan innehålla personuppgifter om dig som sändare eller mottagare samt om andra personer. Information om hur vi på Tre behandlar personuppgifter finns att läsa på www.tre.se/gdpr<http://www.tre.se/gdpr>.
--
Eric Covener
covener@gmail.com<ma...@gmail.com>
Re: [users@httpd] set httponly flag for only "session" cookie
Posted by Eric Covener <co...@gmail.com>.
try adapting the commented example here for samesite:
https://github.com/covener/apache-samesite/blob/master/samesite-global.conf
On Sat, Oct 24, 2020 at 10:01 PM Sathish Vijayan <Sa...@tre.se>
wrote:
> Hi!
>
>
>
> I am using form based authenciation and enabled a session cookie to store
> the user session with username and password as below.
>
> And trying to set httponly flag for only “session” cookie. Please help to
> solve this with a configuration in apache 2.4.25 version.
>
>
>
> AuthType form
>
> AuthName "TEST"
>
> AuthUserFile /user/passwords
>
> AuthGroupFile /user/groups
>
> AuthFormLoginRequiredLocation /login/login.html
>
> AuthFormFakeBasicAuth On
>
> Session On
>
> SessionCryptoPassphrase secret
>
> SessionCookieName session path=/;httponly;secure;
>
> Require valid-user
>
>
>
> Developer tool:
>
>
>
>
>
> Please note: I don’t want to set the httponly flag for other cookies. I
> tried the below but It enables the httponly flag for all cookies, while
> browsing the webpage :
>
>
>
> <IfModule headers_module>
>
> Header edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure"
>
> Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
>
>
>
> Or
>
>
>
> Header edit Set-Cookie ^(.*)$ $1;HttpOnly;secure
>
> </IfModule>
>
>
>
> Regards,
>
> Sathish Vijayan
>
>
>
>
>
> Det här e-postmeddelandet kan innehålla personuppgifter om dig som sändare
> eller mottagare samt om andra personer. Information om hur vi på Tre
> behandlar personuppgifter finns att läsa på www.tre.se/gdpr.
>
--
Eric Covener
covener@gmail.com