Add HttpOnly flag to cookies on the fly using Apache?

Question

Add HttpOnly flag to cookies on the fly using Apache?

So, I have java webapp that uses tomcat with apache proxy level. I want all cookies set in the app to have the httpOnly flag. The problem is that tomcat is responsible for setting the flag on the application side, and its default value (in api 2.5 servlets) is false. I was hoping I could set this flag for all cookies on the fly using apache.

I tried different combinations, and the closest I received sets the last cookie sent by httpOnly, which of course is wrong:

Header append Set-Cookie "; HttpOnly"

I have no way of knowing which cookies / values will be sent from the application. Is it possible?

+4

java tomcat apache httponly

Zack Feb 14 '11 at 23:10

source share

2 answers

In the next revision of mod_headers, the advantage is that it will not duplicate HttpOnly if it already exists, if it matters to you:

  Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"

Cm:

Where I originally found the above expression
An explanation of why all those parentheses with a negative statement to view are searched by searching for strings containing or not containing specific words
A post in which I found a slight improvement for regular expression (search for the Edit Set-Cookie header)

+7

Steve kehlet Jul 25 '12 at 23:30

source share

Tommi · Accepted Answer · 2011-02-15T07:22:55+0000

Try the following mod_headers directive.

 Header edit Set-Cookie ^(.*)$ $1;HttpOnly

Add HttpOnly flag to cookies on the fly using Apache?

More articles: