Apache mod_header rule to change all cookies to secure

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Supowski on Server Fault See other posts from Server Fault or by Supowski
Published on 2011-02-15T14:12:33Z Indexed on 2011/02/15 15:27 UTC
Read the original article Hit count: 207

Filed under:
|

I would like to change all cookies to be secure and http-only. I works fine for one cookie, but doesn't work when multiple cookies are set in response.

Apache mod_header rule should change cookies from:

Set-Cookie cookie1=value; Path=/somePath
Set-Cookie cookie2=value; Path=/somePath

to

Set-Cookie cookie1=value; Path=/somePath; Secure; Http-Only
Set-Cookie cookie2=value; Path=/somePath; Secure; Http-Only

I use mod_headers for it with following rule:

Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly

It works fine when only one cookie is set, but if there is more than one, it just removes all the following and they are not set at all.

Any help how to write mod_headers rule for multiple values? or the problem is in something else?

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about apache

Related posts about cookies

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle