{"id":9827,"date":"2014-03-17T15:55:20","date_gmt":"2014-03-17T20:55:20","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=9827"},"modified":"2014-03-31T15:25:58","modified_gmt":"2014-03-31T20:25:58","slug":"set-secure-and-httponly-cookies-in-apache-2-0","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=9827","title":{"rendered":"Set Secure and HttpOnly Cookies in Apache 2.0 Using Mod_Security"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tVersions<\/a>\n\t<\/li>\n\t
  2. \n\t\tInstall mod_security<\/a>\n\t<\/li>\n\t
  3. \n\t\tAppend HttpOnly Tag to Cookies<\/a>\n\t<\/li>\n\t
  4. \n\t\tTesting<\/a>\n\t<\/li>\n\t
  5. \n\t\tReferences<\/a>\n\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n
     <\/div>\n

    Versions<\/h2><\/span>\n

    * CentOS 6.2
    \n* Apache 2.0.52
    \n* For Apache 2.2<\/em> and above, see     here<\/a> to use mod_header edit<\/em> function<\/p>\n

    Install mod_security<\/h2><\/span>\n

    * Install with yum<\/em>:<\/p>\n

    \r\nyum install mod_security\r\n\r\nservice httpd restart\r\n<\/pre>\n
    * mod_security config file: \/etc\/httpd\/conf.d\/mod_security.conf<\/em>
    \n– check that rule engine is turned on: SecRuleEngine On<\/em>
    \n* mod_security rules directory: \/etc\/httpd\/modsecurity.d\/activated_rules<\/em><\/p>\n
    Append HttpOnly Tag to Cookies<\/h2><\/span>\n
    * Add to \/etc\/httpd\/conf.d\/mod_security.conf<\/em>:<\/p>\n
    \r\n# Identifies SessiondIDs without HTTPOnly flag and sets the \"http_cookie\" ENV\r\n# Token for Apache to read\r\nSecRule RESPONSE_HEADERS:\/Set-Cookie2?\/ \"!(?i:\\;? ?httponly;?)\" \"id:300001,chain,phase:3,t:none,pass,nolog\"\r\nSecRule MATCHED_VAR \"(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))\" \"t:none,setenv:http_cookie=%{matched_var}\"\r\n\r\n# Now we use the Apache Header directive to set the new data\r\nHeader set Set-Cookie \"%{http_cookie}e; HTTPOnly\" env=http_cookie\r\n<\/IfModule>\r\n<\/pre>\n
    Testing<\/h2><\/span>\n
    * See this post<\/a> on how to setup testing
    \n* Point IE to:     http:\/\/openidmbox\/examples\/servlets\/servlet\/CookieExample<\/a><\/p>\n
    \"mod_jk_testCookieHttpOnly_web_Apache2.0\"<\/a><\/h6><\/span>\n
    * Without mod_security rules:<\/p>\n
    \"mod_jk_testCookieHttpOnly_fiddler_Apache2.0\"<\/a><\/h6><\/span>\n
    * With mod_security rules:<\/p>\n
    \"mod_jk_testCookieHttpOnly_fiddler_Apache2.0_modSec\"<\/a><\/h6><\/span>\n
    References<\/h2><\/span>\n
    * ModSecurity Blog: Fixing Both Missing HTTPOnly and Secure Cookie Flags<\/a>
    \n*     ModSecurity Blog: Helping Protect Cookies with HTTPOnly Flag<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    Versions * CentOS 6.2 * Apache 2.0.52 * For Apache 2.2 and above, see here to use mod_header edit function Install mod_security * Install with yum: yum install mod_security service httpd restart * mod_security config file: \/etc\/httpd\/conf.d\/mod_security.conf – check that … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[21],"tags":[475,469],"class_list":["post-9827","post","type-post","status-publish","format-standard","hentry","category-apache","tag-apache2-0","tag-httponly"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-2yv","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/9827","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9827"}],"version-history":[{"count":7,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/9827\/revisions"}],"predecessor-version":[{"id":9905,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/9827\/revisions\/9905"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9827"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9827"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9827"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}