将安全和httpOnly标志添加到Apache httpd中的每个Set-Cookie响应 [英] Add Secure and httpOnly Flags to Every Set-Cookie Response in Apache httpd

问题描述

我正在运行Apache 2.2.26：

I'm running Apache 2.2.26:

Server version: Apache/2.2.26 (Unix)
Server built:   Jan 17 2014 12:24:49
Cpanel::Easy::Apache v3.22.30 rev9999 +cloudlinux

我正在尝试使用mod_headers编辑Set-Cookie标头并添加安全或httpOnly标志，但它根本不起作用（不执行任何操作，不会产生HTTP 500错误）。

I'm attempting to use mod_headers to edit Set-Cookie headers and add the secure or httpOnly flag, but its not working at all (Does nothing, doesn't give HTTP 500 error).

我可以使用Header命令的 modify append指令，而不必进行编辑。我不知道为什么...

I can use the "modify" "append", directives of the Header command without an issue, just not the edit. I do not know why...

我尝试了很多组合，但这是我在.htaccess文件中所拥有的：

I've tried many combinations, but this is what I have in my .htaccess:

Header edit Set-Cookie "(.)([Hh][Tt][Tt][Pp][Oo][Nn][Ll][Yy])?(.)" "$1$2 ;HTTPOnly"
Header edit Set-Cookie "(.)([Ss][Ee][Cc][Uu][Rr][Ee])?(.)" "$1$2 ;Secure"

我接受任何会自动将标志添加到每个Set的解决方案-Cookie响应，而无需在应用程序内编辑代码。我无权在Web服务器上安装其他项目，但是Web服务器具有在大多数Web主机上发现的标准的非常长的Apache模块列表。

I'm open to any solution that will automatically add the flags to every Set-Cookie response, without requiring the editing of code within the application. I do not have access to install additional items on the web server, but the web server has the standard very long list of Apache modules found on most web hosts.

推荐答案

Header edit 指令在应用程序生成响应之前运行 ，因此，如果应用程序正在生成所需的标题，要进行编辑，该标头在指令运行时将不存在，并且没有任何可编辑的地方。

The Header edit directive runs before your application produces a response, so if the application is producing the header you want to edit, that header won't yet exist at the time the directive runs, and there'll be nothing for it to edit.

您可以使用 Header总是编辑（在应用程序生成响应后在之后运行）

You can fix this by using Header always edit (which runs after your application produces a response) instead:

Header always edit Set-Cookie (.*) "$1; HTTPOnly"

在应用指令之前的示例标头：

An example header, before applying the directive:

Set-Cookie: foo=bar; domain=.example.com; path=/

应用指令后的相同标头：

The same header after applying the directive:

Set-Cookie: foo=bar; domain=.example.com; path=/; HTTPOnly

我不确定您问题中的指令是要做什么；更改为标头总是编辑（假设相同的 Set-Cookie 标头，例如上面的示例）是

I'm not sure what the directives in your question are meant to do exactly; what they actually result in when changed to Header always edit (assuming the same Set-Cookie header as in my example above) is e.g.

Set-Cookie: f ;HTTPOnlyo=bar; domain=.example.com; path=/

如果您了解正则表达式和反向引用是如何工作的，则很明显在那里发生了什么，但大概是不是你想要的。如您所说，如果您想将标志添加到每个 Set-Cookie 标头中，我在此答案顶部给出的指令应该对您有用；如果您的需求更加复杂，并且我误解了您要使用该搜索/替换方法做什么，请告诉我。

If you understand how regexes and backreferences work, it's obvious what's happening there, but presumably it's not what you want. The directive I've given at the top of this answer ought to work for you if, as you say, you want to add the flag to every Set-Cookie header; if your needs are more complex and I've misunderstood what you're trying to do with that search/replace, let me know.

编辑：如果不是很明显：要添加两个 标志，则可以这样修改指令：

In case it isn't obvious: to add both flags, you can either modify the directive like so:

Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"

...或使用两个指令：

... or use two directives:

Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always edit Set-Cookie (.*) "$1; Secure"

第一种方法似乎对我来说更明智，但这很大程度上取决于口味。

The first approach seems more sensible to me, but it's largely a matter of taste.

这篇关于将安全和httpOnly标志添加到Apache httpd中的每个Set-Cookie响应的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！