1

I've written this rule to add httpOnly flag to each cookie but the result was thatenter image description here.

What's wrong with the rule? Header edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure"

[EDIT] I've tried to do this treatment at backend, but it's using servlet 2.4 and jboss4. But the mininum required is servlet 3.0

André Luís Oliveira
  • 464
  • 1
  • 3
  • 15
  • I'd *highly* recommend reserving setting any kind of cookies to done with scripting languages, not Apache. Apache is updated a *lot* less frequently than even slowly evolving programming languages. That being said there might be a way to do it though I just can't recommend coming to rely on Apache for everything. – John Jul 04 '20 at 03:59
  • which backend server are you using? This parameter is only recommended with SSL connector. – Pandurang Jul 04 '20 at 09:10
  • @Pandurang I've edited the post. It's java6 but the problem is that servlet version is 2.4 – André Luís Oliveira Jul 06 '20 at 12:47
  • @John I've tried do it at backend but servlet version was a barrier – André Luís Oliveira Jul 06 '20 at 13:00
  • I program PHP, not Java though if the two are any alike instead of using PHP's `setcookie` function, specific to cookies, I would just use PHP's `header()` function instead. Surely Java has functions to let you completely define headers? – John Jul 07 '20 at 00:40
  • @John Indeed there are, but Apache seemed easier, that's why I made efforts on it – André Luís Oliveira Jul 07 '20 at 01:21

1 Answers1

0

Do you want to edit JSessionID header? If yes then you need to use the same Exact name in Header. i.e

Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Pandurang
  • 1,656
  • 2
  • 6
  • 10