Apache mod_header rule to change all cookies to secure
Posted
by
Supowski
on Server Fault
See other posts from Server Fault
or by Supowski
Published on 2011-02-15T14:12:33Z
Indexed on
2012/03/31
5:31 UTC
Read the original article
Hit count: 229
I would like to change all cookies to be secure and http-only. It works fine for one cookie, but doesn't work when multiple cookies are set in response.
Apache mod_header rule should change cookies from:
Set-Cookie cookie1=value; Path=/somePath
Set-Cookie cookie2=value; Path=/somePath
to
Set-Cookie cookie1=value; Path=/somePath; Secure; Http-Only
Set-Cookie cookie2=value; Path=/somePath; Secure; Http-Only
I use mod_headers for it with following rule:
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
It works fine when only one cookie is set, but if there is more than one, it just removes all the following and they are not set at all.
Any help how to write mod_headers rule for multiple values? or the problem is in something else?
© Server Fault or respective owner