Reputation: 1391
Apache: incap_ses_* cookie is Secure but not HttpOnly, whereas visid_incap_* have both flags
I have an Apache server that hosts a Wordpress webpage. I modified my mod_headers to set the Secure and HttpOnly flag to all the cookies.
My configuration is as follows:
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Referrer-Policy "no-referrer-when-downgrade"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>
For some reason the incap_ses cookie only appears with the Secure flag, and the visid_incap have both Secure and HttpOnly flags.
Is there a reason why that specific cookie (incap_ses) doesn't appear with the HttpOnly flag too?
Upvotes: 1
Views: 4198
Answers (1)
Reputation: 351
Here are a few ways to fix this.
Try always in front of edit i.e. always edit
Also make sure that you list a line uses always before any lines that has just use edit
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
But best practice would be to handle this in a PHP file. Then add something like this to the .htaccess.
Header set Set-Cookie HttpOnly;Secure
# END WordPress
# BEGIN HttpHeaders
php_flag session.cookie_httponly on
php_flag session.cookie_secure on
# END HttpHeadersCookie
Upvotes: 1
Related Questions
- Session cookies http & secure flag - how do you set these?
- Add Secure and httpOnly Flags to Every Set-Cookie Response in Apache httpd
- Set httpOnly and secure on PHPSESSID cookie in PHP
- HTTPS - Cookie "HttpOnly" and "secure "
- Session Cookie secure/httponly
- turn off cookie_secure in apache for only one virtual host?
- Session Cookie without HttpOnly flag set
- How to set cookies HTTPOnly and secure attributes?
- php.ini set session cookie secure
- Setting the 'secure' and 'httponly' flags globally for php/apache