Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision Next revision Both sides next revision | ||
litespeed_wiki:config:header-edit-set-cookie [2020/09/03 20:35] Jackson Zhang created |
litespeed_wiki:config:header-edit-set-cookie [2021/09/20 17:41] Jackson Zhang |
||
---|---|---|---|
Line 2: | Line 2: | ||
LiteSpeed doesn't support Apache's header ''edit'' directive, and so the following Apache directive won't work on LiteSpeed: | LiteSpeed doesn't support Apache's header ''edit'' directive, and so the following Apache directive won't work on LiteSpeed: | ||
- | Header always edit Set-Cookie (.*) "$1;HTTPOnly;Secure;SameSite=none" | ||
- | | ||
- | ===== ''secure'' ===== | ||
- | This particular case, which involves patching Set-Cookie with a ''secure'' flag when served over HTTPS, is automatically handled by LiteSpeed Web Server as of v5.4.5, and so it is unnecessary to use a directive for that. | ||
- | |||
- | ===== ''HTTPOnly'' ===== | ||
- | For ''HTTPOnly'' settings, you should be able to use ''php.ini''. For example: | ||
<code> | <code> | ||
- | session.cookie_httponly=On | + | Header always edit Set-Cookie (.*) "$1;HTTPOnly;Secure;SameSite=none" |
- | </code> | + | </code> |
- | ===== New directive ''ForceSecureCookie'' enforce "secure" and "SameSite" cookie attribute ===== | + | Let's look at the elements of the directive, and how to accomplish each with LSWS. |
- | Starting from 5.4.9 build 2, a new directive ''ForceSecureCookie'' has been introduced to enforce "secure" and "SameSite" cookie attributes. It can be set in the Apache config file at the server or virtual host level, or in .htaccess of the document root directory. | + | |
- | ''ForceSecureCookie'' can use value | + | ===== ForceSecureCookie ===== |
- | off, on|secure, lax|same_site_lax, strict|same_site_strict, same_site_none | + | As of LSWS v 5.4.9 build 2, a new directive ''ForceSecureCookie'' has been introduced to enforce ''secure'' , ''SameSite'' and ''httponly'' cookie attributes. It can be set in the Apache config file at the server or virtual-host level, or in the ''.htaccess'' of the document root directory. |
- | + | ||
- | ''same_site_xxxx'' value can be combined with ''secure''. | + | |
- | For example: | + | ''ForceSecureCookie'' can use the following values(order doesn't matter): |
- | To enforce ''secure'' attribute only: | + | |
- | ForceSecureCookie secure | + | ''off'' ,''on''|''secure'',''httponly'',''lax''|''same_site_lax'' ,''strict''|''same_site_strict'',''same_site_none'' |
+ | |||
+ | The ''same_site_xxxx'' values can be combined with ''secure''. | ||
+ | |||
+ | ==== Examples ==== | ||
+ | To enforce the ''secure'' attribute only: | ||
+ | <code> | ||
+ | ForceSecureCookie secure | ||
+ | </code> | ||
| | ||
- | To enforce "secure; SameSite=none;" attribute: | + | To enforce "secure; SameSite=none;": |
- | ForceSecureCookie secure same_site_none | + | <code> |
+ | ForceSecureCookie secure same_site_none | ||
+ | </code> | ||
- | To enforce "SameSite=strict" attribute only | + | To enforce "SameSite=strict" only: |
- | ForceSecureCookie strict | + | <code> |
+ | ForceSecureCookie strict | ||
+ | </code> | ||
or | or | ||
- | ForceSecureCookie same_site_strict | + | <code> |
+ | ForceSecureCookie same_site_strict | ||
+ | </code> | ||
| | ||
- | When using the above directives, please make sure to enclose with | + | **NOTE**: |
- | <IfModule LiteSpeed> | + | * When using the above directives, please make sure to enclose them with |
- | ... | + | <code> |
- | </IfModule> | + | <IfModule LiteSpeed> |
+ | ... | ||
+ | </IfModule> | ||
+ | </code> | ||
+ | |||
+ | * ''secure'' flag when served over HTTPS, is automatically handled by LiteSpeed Web Server as of v5.4.5, and so it is unnecessary to use a directive for that. | ||
+ | * HTTPOnly could also be set in ''php.ini''. For example: | ||
+ | <code> | ||
+ | session.cookie_httponly=On | ||
+ | </code> |