Set Secure and HttpOnly Cookies in Apache 2.0 Using Mod_Security

Posted on March 17, 2014 by Jianming Li

Contents

  1. Versions
  2. Install mod_security
  3. Append HttpOnly Tag to Cookies
  4. Testing
  5. References
 

Versions

* CentOS 6.2
* Apache 2.0.52
* For Apache 2.2 and above, see here to use mod_header edit function

Install mod_security

* Install with yum:

yum install mod_security
 
service httpd restart

* mod_security config file: /etc/httpd/conf.d/mod_security.conf
– check that rule engine is turned on: SecRuleEngine On
* mod_security rules directory: /etc/httpd/modsecurity.d/activated_rules

Append HttpOnly Tag to Cookies

* Add to /etc/httpd/conf.d/mod_security.conf:

# Identifies SessiondIDs without HTTPOnly flag and sets the "http_cookie" ENV
# Token for Apache to read
SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "!(?i:\;? ?httponly;?)" "id:300001,chain,phase:3,t:none,pass,nolog"
SecRule MATCHED_VAR "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))" "t:none,setenv:http_cookie=%{matched_var}"
 
# Now we use the Apache Header directive to set the new data
Header set Set-Cookie "%{http_cookie}e; HTTPOnly" env=http_cookie
</IfModule>

Testing

* See this post on how to setup testing
* Point IE to: http://openidmbox/examples/servlets/servlet/CookieExample

mod_jk_testCookieHttpOnly_web_Apache2.0

* Without mod_security rules:

mod_jk_testCookieHttpOnly_fiddler_Apache2.0

* With mod_security rules:

mod_jk_testCookieHttpOnly_fiddler_Apache2.0_modSec

References

* ModSecurity Blog: Fixing Both Missing HTTPOnly and Secure Cookie Flags
* ModSecurity Blog: Helping Protect Cookies with HTTPOnly Flag

This entry was posted in apache and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.