3

I'm running Apache 2.4.29 on Ubuntu 18.04. I'm also running PHP 7.2 and I can't update to 7.3 yet.

I need to update the PHP session cookie (PHPSESSID), as well as a few others, on a tracking widget that is intended to run cross-site.

I have tried many different proposed solutions, but none of them work. Mostly, nothing happens, and some of those workarounds even cause the cookies to not be set at all. The workarounds I have tried include doing a Header always edit in my .conf file for the particular service I'm trying to update.

Since updating the Apache config files didn't work, I tried doing it in my htaccess file, but that also does nothing or breaks the cookies.

I tried adding this to the beginning of my htaccess file:

Header always edit Set-Cookie ^(.*)$ "$1; HttpOnly; Secure; SameSite=None"

No changes to the cookie.

I then created a cookie in the htaccess to test that part:

Header set Set-Cookie "language=eng; path=/; HttpOnly; Secure; SameSite=None"

That worked for that new language cookie, but the rest of the cookies weren't event set.

This is what my current test htaccess file looks like:

Header set Set-Cookie "language=eng; path=/;"
Header always edit Set-Cookie ^(.*)$ "$1; HttpOnly; Secure; SameSite=None"
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]

I would expect the language cookie to have the HttpOnly;Secure;SameSite=None appended to the end, but it doesn't. According to Chrome Dev Tools, my Response Header just has this: Set-Cookie: language=eng; path=/;

I have NO idea what I'm doing wrong. I have tried different combinations of regex expressions for the edit with no results.

Please help!!

J. Scott Elblein
  • 4,013
  • 15
  • 58
  • 94
DEBRAIN Dev
  • 31
  • 1
  • 1
  • 2
  • For php session cookies, have you tried this: https://stackoverflow.com/a/22222151/2960971 – IncredibleHat Jan 24 '20 at 17:35
  • Also, look into using `Header add ` instead of `Header set `... so it doesnt blow out other cookies. – IncredibleHat Jan 24 '20 at 17:36
  • @IncredibleHat Changing set to add indeed prevented my other cookies from disappearing, thank you. However, the main part is getting the additional attributes (SameSite) added to the cookies. That's still not working. The php side fix was the first change I looked at, but samesite is not available for ini settings until PHP 7.3, so that didn't work for me. – DEBRAIN Dev Jan 24 '20 at 17:46
  • I appear to have found the culprit. I thought I had tested placing the edits at the end of y htaccess file, but apparently I hadn't. Moving them after the rewrite did the trick. Can anyone explain why? – DEBRAIN Dev Jan 24 '20 at 18:11
  • I believe because rewrites prematurely end the htaccess. They do those to get the user to where they should be, first... before going onward to the destination files. Or maybe not. I usually get confused with rewrites myself ;) – IncredibleHat Jan 24 '20 at 18:45
  • I'm in a similar situation but haven't cracked it yet. The Apache config is for a ProxyPass so there's no `htaccess` file, it's just `Header` entries in a ``. I've tried putting the same `Header always edit ...` line from your question before or after the ProxyPass entry, and it never works. The crazy part is I can put a `Header always add Set-Cookie "bar=baz"` before it and I wind up with `Set-Cookie "bar=baz; HttpOnly; Secure; SameSite=None` -- the `edit` works on a cookie added by Apache but not in the proxied response. – Coderer May 28 '21 at 12:16

0 Answers0