Add httponly and secure cookie if not present

toms130 · January 22, 2021, 3:07pm

Hi all

I’d like to add Secure and HttpOnly to all cookies, when these securities are not already set by backend app, but I can’t find the way to do this properly.
Add is OK, but on cookies which have these notions, I have them twice (my acl doesn’t seems to work)

Even on a single cookie, I can’t figure how to do this
I’ve tried as shown in documentation

 acl secured_cookie res.cook(JSESSIONID),lower -m sub secure
 acl httponly_cookie res.cook(JSESSIONID),lower -m sub httponly
 http-response replace-header Set-Cookie (.*) \1;\ Secure if !secured_cookie
 http-response replace-header Set-Cookie (.*) \1;\ HttpOnly if !httponly_cookie

but when I curl URL, I have this cookie in header

set-cookie: JSESSIONID=BED876AD41ED3F0367F986921AE83711; Path=/cas; Secure; HttpOnly; Secure; HttpOnly

Ideally, I’d like to do this on all cookies.
Any help would be appreciated

GJammal · April 8, 2021, 7:57pm

Hi toms130, I am having a similar problem. Was you able to resolve it?

lukastribus · April 8, 2021, 8:03pm

The content of the JSESSIONID cookie contains BED876AD41ED3F0367F986921AE83711, it doesn’t contain secure or httponly, not even in a substring.

Actually match the header with req.fhdr(set-cookie).

Topic		Replies	Views
Cookie / JSESSIONID naming confusion Help!	1	31	October 11, 2024
How to add Cookies on http request not on http response Help!	3	4337	January 27, 2021
Using cookies for ACL Help!	6	1306	May 30, 2019
Insert 2nd Cookie Help!	0	207	December 15, 2022
ACL based on HTTP Response Set-Cookie Header Help!	1	2547	December 8, 2017

Add httponly and secure cookie if not present

Related topics