Hi experts. This is my first post in apache mailing list.
Ubuntu Apache : 2.4 I am trying to make every cookie generated by app or apache http server secure, httponly with domain set to site domain name Example: There is a cookie called MyCookie1=12345; it should be set to Mycookie=12345;secure;httponly;domain=xyz.corp.test.com I am using below rule to make it work. Header edit Set-Cookie ^(.*)$ "$1;Secure;HttpOnly; domain=xyz.corp.test.com ". Then I realized that there are many cookies with secure, httponly,domain name set by app already. By using above rule in apache, cookies are now having multiple domain,secure & httponly values. Example Mycookie1.app1=123456;domain=*.corp.test.com,secure,httponly cookie is resulting as Mycookie1.app1=12345;domain=*.corp.test.com,secure,httponly,domain= xyz.corp.test.com,Secure,Httponly. (app is setting to secure and httponly in lowercase and apache is appending Secure and Httponly starting with uppercase). I am using below rules to avoid duplicates but it breaks down the application. Header edit Set-Cookie ^(.*);\s?secure;?\s?(.*);\s?secure;?\s?(.*)$ "$1; $2; $3; Secure" Header edit Set-Cookie ^(.*);\s?httpOnly;?\s?(.*);\s?httpOnly;?\s?(.*)$ "$1; $2; $3; HttpOnly" #Strip off double ;; settings Header edit Set-Cookie ^(.*);\s?;\s?(.*)$ "$1; $2" How do I remove secure, httponly & domain if present and add using Header edit cookie rule and how do I append secure httponly and domain if not present in cookie. I appreciate your time and help. Thanks, Kumar
