[users@httpd] Mark cookies as secure?

[Alan Murphy <am...@tcd.ie>]

Hi all, 

I need to mark cookies as secure, I thought I could just use the mod headers directive

Header edit set-cookie ^(.*)$ $1;secure

But it does not work, am I missing something. Any help would be greatly appreciated,

Sent from my iPhone
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Mark cookies as secure?

[Eric Covener <co...@gmail.com>]

> Hope this time it will sink deeper in my memory and stay there for longer
> than 5 minutes :)

This part was expanded relatively recently to cover the unfortunate
API stuff that bleeds out into using the Header directive.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Mark cookies as secure?

[Igor Cicimov <ic...@gmail.com>]

On Thu, Feb 21, 2013 at 12:07 PM, Eric Covener <co...@gmail.com> wrote:

> On Wed, Feb 20, 2013 at 5:15 PM, Igor Cicimov <ic...@gmail.com> wrote:
> > Yeah cgi, thats what i thought. In case of cgi apache doesn't have
> control
> > over the headers, you need to make the changes from inside cgi scripts
> them
> > self.
> >
>
> These can still be edited, but I think mod_cgi puts the headers in the
> "error headers" bucket -- as in Header always edit ...
>

Eric, your response made me go and re-read mod_headers doco (carefully),
which I haven't done for some time, and there it was of course, very clear:

The default value of onsuccess may need to be changed to always under the
circumstances similar to those listed below. Note also that repeating this
directive with both conditions makes sense in some scenarios because
alwaysis not a superset of
onsuccess with respect to existing headers:

   - You're adding a header to a non-success (non-2xx) response, such as a
   redirect, in which case only the table corresponding to always is used
   in the ultimate response.
   - *You're modifying or removing a header generated by a CGI script, in
   which case the CGI scripts are in the table corresponding to always and
   not in the default table.*
   - You're modifying or removing a header generated by some piece of the
   server but that header is not being found by the default onsuccesscondition.

Hope this time it will sink deeper in my memory and stay there for longer
than 5 minutes :)


> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] Mark cookies as secure?

[Eric Covener <co...@gmail.com>]

On Wed, Feb 20, 2013 at 5:15 PM, Igor Cicimov <ic...@gmail.com> wrote:
> Yeah cgi, thats what i thought. In case of cgi apache doesn't have control
> over the headers, you need to make the changes from inside cgi scripts them
> self.
>

These can still be edited, but I think mod_cgi puts the headers in the
"error headers" bucket -- as in Header always edit ...

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Mark cookies as secure?

[Alan Murphy <am...@tcd.ie>]

Thank for your help, all sorted.

Sent from my iPhone

On 20 Feb 2013, at 22:15, Igor Cicimov <ic...@gmail.com> wrote:

> Yeah cgi, thats what i thought. In case of cgi apache doesn't have control over the headers, you need to make the changes from inside cgi scripts them self.
> On 21/02/2013 4:48 AM, "Alan Murphy" <am...@tcd.ie> wrote:
>> Only defaults, mod_cgid.c, cgi-bin????
>> 
>> Sent from my iPhone
>> 
>> On 20 Feb 2013, at 00:17, Igor Cicimov <ic...@gmail.com> wrote:
>> 
>>> Any CGI scripts or modules enabled?
>>> 
>>> 
>>> On Wed, Feb 20, 2013 at 5:00 AM, Alan Murphy <am...@tcd.ie> wrote:
>>>> 2.2.22
>>>> 
>>>> Sent from my iPhone
>>>> 
>>>> On 19 Feb 2013, at 13:24, Igor Cicimov <ic...@gmail.com> wrote:
>>>> 
>>>>> 
>>>>> On 19/02/2013 12:43 AM, "Alan Murphy" <am...@tcd.ie> wrote:
>>>>> >
>>>>> > Hi all,
>>>>> >
>>>>> > I need to mark cookies as secure, I thought I could just use the mod headers directive
>>>>> >
>>>>> > Header edit set-cookie ^(.*)$ $1;secure
>>>>> >
>>>>> > But it does not work, am I missing something. Any help would be greatly appreciated,
>>>>> >
>>>>> > Sent from my iPhone
>>>>> > ---------------------------------------------------------------------
>>>>> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>> > For additional commands, e-mail: users-help@httpd.apache.org
>>>>> >
>>>>> Which apache version??

Re: [users@httpd] Mark cookies as secure?

[Igor Cicimov <ic...@gmail.com>]

Yeah cgi, thats what i thought. In case of cgi apache doesn't have control
over the headers, you need to make the changes from inside cgi scripts them
self.
 On 21/02/2013 4:48 AM, "Alan Murphy" <am...@tcd.ie> wrote:

> Only defaults, mod_cgid.c, cgi-bin????
>
> Sent from my iPhone
>
> On 20 Feb 2013, at 00:17, Igor Cicimov <ic...@gmail.com> wrote:
>
> Any CGI scripts or modules enabled?
>
>
> On Wed, Feb 20, 2013 at 5:00 AM, Alan Murphy <am...@tcd.ie> wrote:
>
>> 2.2.22
>>
>> Sent from my iPhone
>>
>> On 19 Feb 2013, at 13:24, Igor Cicimov <ic...@gmail.com> wrote:
>>
>>
>> On 19/02/2013 12:43 AM, "Alan Murphy" <am...@tcd.ie> wrote:
>> >
>> > Hi all,
>> >
>> > I need to mark cookies as secure, I thought I could just use the mod
>> headers directive
>> >
>> > Header edit set-cookie ^(.*)$ $1;secure
>> >
>> > But it does not work, am I missing something. Any help would be greatly
>> appreciated,
>> >
>> > Sent from my iPhone
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> > For additional commands, e-mail: users-help@httpd.apache.org
>> >
>> Which apache version??
>>
>>
>

Re: [users@httpd] Mark cookies as secure?

[Alan Murphy <am...@tcd.ie>]

Only defaults, mod_cgid.c, cgi-bin????

Sent from my iPhone

On 20 Feb 2013, at 00:17, Igor Cicimov <ic...@gmail.com> wrote:

> Any CGI scripts or modules enabled?
> 
> 
> On Wed, Feb 20, 2013 at 5:00 AM, Alan Murphy <am...@tcd.ie> wrote:
>> 2.2.22
>> 
>> Sent from my iPhone
>> 
>> On 19 Feb 2013, at 13:24, Igor Cicimov <ic...@gmail.com> wrote:
>> 
>>> 
>>> On 19/02/2013 12:43 AM, "Alan Murphy" <am...@tcd.ie> wrote:
>>> >
>>> > Hi all,
>>> >
>>> > I need to mark cookies as secure, I thought I could just use the mod headers directive
>>> >
>>> > Header edit set-cookie ^(.*)$ $1;secure
>>> >
>>> > But it does not work, am I missing something. Any help would be greatly appreciated,
>>> >
>>> > Sent from my iPhone
>>> > ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> > For additional commands, e-mail: users-help@httpd.apache.org
>>> >
>>> Which apache version??
>>> 
> 

Re: [users@httpd] Mark cookies as secure?

[Igor Cicimov <ic...@gmail.com>]

Any CGI scripts or modules enabled?


On Wed, Feb 20, 2013 at 5:00 AM, Alan Murphy <am...@tcd.ie> wrote:

> 2.2.22
>
> Sent from my iPhone
>
> On 19 Feb 2013, at 13:24, Igor Cicimov <ic...@gmail.com> wrote:
>
>
> On 19/02/2013 12:43 AM, "Alan Murphy" <am...@tcd.ie> wrote:
> >
> > Hi all,
> >
> > I need to mark cookies as secure, I thought I could just use the mod
> headers directive
> >
> > Header edit set-cookie ^(.*)$ $1;secure
> >
> > But it does not work, am I missing something. Any help would be greatly
> appreciated,
> >
> > Sent from my iPhone
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> Which apache version??
>
>

Re: [users@httpd] Mark cookies as secure?

[Alan Murphy <am...@tcd.ie>]

2.2.22

Sent from my iPhone

On 19 Feb 2013, at 13:24, Igor Cicimov <ic...@gmail.com> wrote:

> 
> On 19/02/2013 12:43 AM, "Alan Murphy" <am...@tcd.ie> wrote:
> >
> > Hi all,
> >
> > I need to mark cookies as secure, I thought I could just use the mod headers directive
> >
> > Header edit set-cookie ^(.*)$ $1;secure
> >
> > But it does not work, am I missing something. Any help would be greatly appreciated,
> >
> > Sent from my iPhone
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> Which apache version??

Re: [users@httpd] Mark cookies as secure?

[Alan Murphy <am...@tcd.ie>]

Apache 2.2

Sent from my iPhone

On 19 Feb 2013, at 13:24, Igor Cicimov <ic...@gmail.com> wrote:

> 
> On 19/02/2013 12:43 AM, "Alan Murphy" <am...@tcd.ie> wrote:
> >
> > Hi all,
> >
> > I need to mark cookies as secure, I thought I could just use the mod headers directive
> >
> > Header edit set-cookie ^(.*)$ $1;secure
> >
> > But it does not work, am I missing something. Any help would be greatly appreciated,
> >
> > Sent from my iPhone
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> Which apache version??

Re: [users@httpd] Mark cookies as secure?

[Igor Cicimov <ic...@gmail.com>]

On 19/02/2013 12:43 AM, "Alan Murphy" <am...@tcd.ie> wrote:
>
> Hi all,
>
> I need to mark cookies as secure, I thought I could just use the mod
headers directive
>
> Header edit set-cookie ^(.*)$ $1;secure
>
> But it does not work, am I missing something. Any help would be greatly
appreciated,
>
> Sent from my iPhone
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Which apache version??