Set Secure and HttpOnly Cookies in Apache 2.2.4

Posted on March 3, 2014 by Jianming Li

Contents

  1. Steps
  2. Test
    1. Before
    2. After
  3. References
 

Steps

* See this post to configure mod_jk module for Apache 2.2 and Tomcat 7
* Make sure mod_headers is loaded:

# grep mod_headers.so httpd.conf
LoadModule headers_module modules/mod_headers.so

* Add to httpd.conf
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
– or to prevent duplicate HttpOnly tag:
Header edit Set-Cookie “(?i)^((?:(?!;\s?HttpOnly).)+)$” “$1; HttpOnly”
* Restart Apache

Test

* Install and start Fiddler2

Before

* Point browser to http://openidmbox/examples/servlets/servlet/CookieExample

mod_jk_testCookie

* Check Fiddler and you should see
Set-Cookie: testname=testvalue

mod_jk_testCookie_fiddler

After

* Check Fiddler and you should see
Set-Cookie: testname=testvalue;Secure;HttpOnly

mod_jk_testCookieHttpOnly_fiddler

References

* OWASP httpOnly
* http://stackoverflow.com/questions/4998398/add-httponly-flag-to-cookies-on-the-fly-with-apache
* http://chandank.com/security/httponly-secure-cookie-apache

This entry was posted in apache and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.