LiteSpeed Alternative to Apache Header Edit
LiteSpeed doesn't support Apache's header edit
directive, and so the following Apache directive won't work on LiteSpeed:
Header always edit Set-Cookie (.*) "$1;HTTPOnly;Secure;SameSite=none"
Let's look at the elements of the directive, and how to accomplish each with LSWS.
ForceSecureCookie
As of LSWS v 5.4.9 build 2, a new directive ForceSecureCookie
has been introduced to enforce secure
, SameSite
and httponly
cookie attributes. It can be set in the Apache config file at the server or virtual-host level, or in the .htaccess
of the document root directory.
ForceSecureCookie
can use the following values(order doesn't matter):
off
,on
|secure
,httponly
,lax
|same_site_lax
,strict
|same_site_strict
,same_site_none
The same_site_xxxx
values can be combined with secure
.
Examples
To enforce the secure
attribute only:
ForceSecureCookie secure
To enforce “secure; SameSite=none;”:
ForceSecureCookie secure same_site_none
To enforce “SameSite=strict” only:
ForceSecureCookie strict
or
ForceSecureCookie same_site_strict
NOTE:
- When using the above directives, please make sure to enclose them with
<IfModule LiteSpeed> ... </IfModule>
secure
flag when served over HTTPS, is automatically handled by LiteSpeed Web Server as of v5.4.5, and so it is unnecessary to use a directive for that.- HTTPOnly could also be set in
php.ini
. For example:
session.cookie_httponly=On