Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
litespeed_wiki:config:header-edit-set-cookie [2020/09/04 18:19] Lisa Clarke Copyediting |
litespeed_wiki:config:header-edit-set-cookie [2023/02/09 20:52] (current) Lisa Clarke Fix redirect link |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== LiteSpeed Alternative to Apache Header Edit ====== | + | ~~REDIRECT>https://docs.litespeedtech.com/lsws/configuration/#forcesecurecookie~~ |
- | + | ||
- | LiteSpeed doesn't support Apache's header ''edit'' directive, and so the following Apache directive won't work on LiteSpeed: | + | |
- | <code> | + | |
- | Header always edit Set-Cookie (.*) "$1;HTTPOnly;Secure;SameSite=none" | + | |
- | </code> | + | |
- | + | ||
- | Let's look at the elements of the directive, and how to accomplish each with LSWS. | + | |
- | + | ||
- | ===== Secure ===== | + | |
- | The above example, which involves patching Set-Cookie with a ''secure'' flag when served over HTTPS, is automatically handled by LiteSpeed Web Server as of v5.4.5, and so it is unnecessary to use a directive for that. | + | |
- | + | ||
- | ===== HTTPOnly ===== | + | |
- | For ''HTTPOnly'' settings, you should be able to use ''php.ini''. For example: | + | |
- | <code> | + | |
- | session.cookie_httponly=On | + | |
- | </code> | + | |
- | + | ||
- | ===== ForceSecureCookie ===== | + | |
- | As of LSWS v 5.4.9 build 2, a new directive ''ForceSecureCookie'' has been introduced to enforce ''secure'' and ''SameSite'' cookie attributes. It can be set in the Apache config file at the server or virtual-host level, or in the ''.htaccess'' of the document root directory. | + | |
- | + | ||
- | ''ForceSecureCookie'' can use the following values: | + | |
- | + | ||
- | ''off'' ,''on''|''secure'',''lax''|''same_site_lax'' ,''strict''|''same_site_strict'',''same_site_none'' | + | |
- | + | ||
- | The ''same_site_xxxx'' values can be combined with ''secure''. | + | |
- | + | ||
- | ==== Examples ==== | + | |
- | To enforce the ''secure'' attribute only: | + | |
- | <code> | + | |
- | ForceSecureCookie secure | + | |
- | </code> | + | |
- | + | ||
- | To enforce "secure; SameSite=none;": | + | |
- | <code> | + | |
- | ForceSecureCookie secure same_site_none | + | |
- | </code> | + | |
- | + | ||
- | To enforce "SameSite=strict" only: | + | |
- | <code> | + | |
- | ForceSecureCookie strict | + | |
- | </code> | + | |
- | or | + | |
- | <code> | + | |
- | ForceSecureCookie same_site_strict | + | |
- | </code> | + | |
- | + | ||
- | **NOTE**: When using the above directives, please make sure to enclose them with | + | |
- | <code> | + | |
- | <IfModule LiteSpeed> | + | |
- | ... | + | |
- | </IfModule> | + | |
- | </code> | + |