Apache: incap_ses_* cookie is Secure but not HttpOnly, whereas visid_incap_* have both flags

3.2k Views Asked by Jacobo At 12 January 2021 at 00:10

I have an Apache server that hosts a Wordpress webpage. I modified my mod_headers to set the Secure and HttpOnly flag to all the cookies. My configuration is as follows:

<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
    Header set Referrer-Policy "no-referrer-when-downgrade"
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>

For some reason the incap_ses cookie only appears with the Secure flag, and the visid_incap have both Secure and HttpOnly flags.

Is there a reason why that specific cookie (incap_ses) doesn't appear with the HttpOnly flag too?

Original Q&A

There are 1 best solutions below

Nick Cappello On 12 January 2021 at 04:38

Here are a few ways to fix this.
Try always in front of edit i.e. always edit
Also make sure that you list a line uses always before any lines that has just use edit
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"

But best practice would be to handle this in a PHP file. Then add something like this to the .htaccess.

Header set Set-Cookie HttpOnly;Secure
# END WordPress
# BEGIN HttpHeaders
php_flag session.cookie_httponly on
php_flag session.cookie_secure on
# END HttpHeadersCookie

Apache: incap_ses_* cookie is Secure but not HttpOnly, whereas visid_incap_* have both flags

There are 1 best solutions below

Related Questions in WORDPRESS

Related Questions in APACHE

Related Questions in APACHE2

Related Questions in SESSION-COOKIES

Related Questions in APACHE-MODULES

Trending Questions

Popular # Hahtags

Popular Questions