LiteSpeed Alternative to Apache Header Edit

LiteSpeed doesn't support Apache's header edit directive, and so the following Apache directive won't work on LiteSpeed:

Header always edit Set-Cookie (.*) "$1;HTTPOnly;Secure;SameSite=none"

Let's look at the elements of the directive, and how to accomplish each with LSWS.

The above example, which involves patching Set-Cookie with a secure flag when served over HTTPS, is automatically handled by LiteSpeed Web Server as of v5.4.5, and so it is unnecessary to use a directive for that.

For HTTPOnly settings, you should be able to use php.ini. For example:

  session.cookie_httponly=On

As of LSWS v 5.4.9 build 2, a new directive ForceSecureCookie has been introduced to enforce secure and SameSite cookie attributes. It can be set in the Apache config file at the server or virtual-host level, or in the .htaccess of the document root directory.

ForceSecureCookie can use the following values:

off ,on|secure,lax|same_site_lax ,strict|same_site_strict,same_site_none

The same_site_xxxx values can be combined with secure.

Examples

To enforce the secure attribute only:

ForceSecureCookie secure

To enforce “secure; SameSite=none;”:

ForceSecureCookie secure same_site_none

To enforce “SameSite=strict” only:

ForceSecureCookie strict

or

ForceSecureCookie same_site_strict

NOTE: When using the above directives, please make sure to enclose them with

<IfModule LiteSpeed>
...
</IfModule>
  • Admin
  • Last modified: 2020/09/04 18:19
  • by Lisa Clarke