{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 不美不萌又怎样 的问题《Add Secure and httpOnly Flags to Every Set-Cookie》','https://www.manongdao.com/q-1226297.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm running Apache 2.2.26:
Server version: Apache/2.2.26 (Unix)
Server built: Jan 17 2014 12:24:49
Cpanel::Easy::Apache v3.22.30 rev9999 +cloudlinux
I'm attempting to use mod_headers to edit Set-Cookie headers and add the secure or httpOnly flag, but its not working at all (Does nothing, doesn't give HTTP 500 error).
I can use the "modify" "append", directives of the Header command without an issue, just not the edit. I do not know why...
I've tried many combinations, but this is what I have in my .htaccess:
Header edit Set-Cookie "(.)([Hh][Tt][Tt][Pp][Oo][Nn][Ll][Yy])?(.)" "$1$2 ;HTTPOnly"
Header edit Set-Cookie "(.)([Ss][Ee][Cc][Uu][Rr][Ee])?(.)" "$1$2 ;Secure"
I'm open to any solution that will automatically add the flags to every Set-Cookie response, without requiring the editing of code within the application. I do not have access to install additional items on the web server, but the web server has the standard very long list of Apache modules found on most web hosts.
The
Header editdirective runs before your application produces a response, so if the application is producing the header you want to edit, that header won't yet exist at the time the directive runs, and there'll be nothing for it to edit.You can fix this by using
Header always edit(which runs after your application produces a response) instead:An example header, before applying the directive:
The same header after applying the directive:
I'm not sure what the directives in your question are meant to do exactly; what they actually result in when changed to
Header always edit(assuming the sameSet-Cookieheader as in my example above) is e.g.If you understand how regexes and backreferences work, it's obvious what's happening there, but presumably it's not what you want. The directive I've given at the top of this answer ought to work for you if, as you say, you want to add the flag to every
Set-Cookieheader; if your needs are more complex and I've misunderstood what you're trying to do with that search/replace, let me know.EDIT: In case it isn't obvious: to add both flags, you can either modify the directive like so:
... or use two directives:
The first approach seems more sensible to me, but it's largely a matter of taste.
make sure that mod_headers.so is enabled then add the following header in apache2.conf for debian based system or httpd.conf for rpm based system
For lower than Apache 2.2.4 version use the following:
then Restart the server
I was trying to set http, secure and samesite=strict on cookies.
This worked for me:
Samesite=strict provides protection againsts XSRF.
Hope it helps.