LiteSpeed Alternative to Apache Header Edit

LiteSpeed doesn't support Apache's header edit directive, and so the following Apache directive won't work on LiteSpeed:

Header always edit Set-Cookie (.*) "$1;HTTPOnly;Secure;SameSite=none"

Let's look at the elements of the directive, and how to accomplish each with LSWS.

As of LSWS v 5.4.9 build 2, a new directive ForceSecureCookie has been introduced to enforce secure , SameSite and httponly cookie attributes. It can be set in the Apache config file at the server or virtual-host level, or in the .htaccess of the document root directory.

ForceSecureCookie can use the following values(order doesn't matter):

off ,on|secure,httponly,lax|same_site_lax ,strict|same_site_strict,same_site_none

The same_site_xxxx values can be combined with secure.

Examples

To enforce the secure attribute only:

ForceSecureCookie secure

To enforce “secure; SameSite=none;”:

ForceSecureCookie secure same_site_none

To enforce “SameSite=strict” only:

ForceSecureCookie strict

or

ForceSecureCookie same_site_strict

NOTE:

  • When using the above directives, please make sure to enclose them with
<IfModule LiteSpeed>
...
</IfModule>
  • secure flag when served over HTTPS, is automatically handled by LiteSpeed Web Server as of v5.4.5, and so it is unnecessary to use a directive for that.
  • HTTPOnly could also be set in php.ini. For example:
  session.cookie_httponly=On
  • Admin
  • Last modified: 2021/09/20 17:41
  • by Jackson Zhang