Add httponly and secure cookie if not present

toms130 · January 22, 2021, 3:07pm

Hi all

I’d like to add Secure and HttpOnly to all cookies, when these securities are not already set by backend app, but I can’t find the way to do this properly.
Add is OK, but on cookies which have these notions, I have them twice (my acl doesn’t seems to work)

Even on a single cookie, I can’t figure how to do this
I’ve tried as shown in documentation

 acl secured_cookie res.cook(JSESSIONID),lower -m sub secure
 acl httponly_cookie res.cook(JSESSIONID),lower -m sub httponly
 http-response replace-header Set-Cookie (.*) \1;\ Secure if !secured_cookie
 http-response replace-header Set-Cookie (.*) \1;\ HttpOnly if !httponly_cookie

but when I curl URL, I have this cookie in header

set-cookie: JSESSIONID=BED876AD41ED3F0367F986921AE83711; Path=/cas; Secure; HttpOnly; Secure; HttpOnly

Ideally, I’d like to do this on all cookies.
Any help would be appreciated

GJammal · April 8, 2021, 7:57pm

Hi toms130, I am having a similar problem. Was you able to resolve it?

lukastribus · April 8, 2021, 8:03pm

The content of the JSESSIONID cookie contains BED876AD41ED3F0367F986921AE83711, it doesn’t contain secure or httponly, not even in a substring.

Actually match the header with req.fhdr(set-cookie).

Topic		Replies	Views
Using cookies for ACL Help!	6	1040	May 30, 2019
ACL based on HTTP Response Set-Cookie Header Help!	1	2465	December 8, 2017
Optional cookie persistence based on ACL (port) Help!	0	285	February 1, 2022
Use_backend with cookie / map Help!	3	1110	May 14, 2019
Set cookie according to user agent Help!	1	435	June 17, 2021

Add httponly and secure cookie if not present

Related Topics