Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
litespeed_wiki:config:header-edit-set-cookie [2021/09/20 17:40] Jackson Zhang |
litespeed_wiki:config:header-edit-set-cookie [2023/02/09 20:51] Lisa Clarke Redirect to new Documentation Site |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== LiteSpeed Alternative to Apache Header Edit ====== | + | ~~REDIRECT>https://docs.litespeedtech.com/docs-lisa/lsws/configuration/#forcesecurecookie~~ |
| - | + | ||
| - | LiteSpeed doesn't support Apache's header ''edit'' directive, and so the following Apache directive won't work on LiteSpeed: | + | |
| - | <code> | + | |
| - | Header always edit Set-Cookie (.*) "$1;HTTPOnly;Secure;SameSite=none" | + | |
| - | </code> | + | |
| - | + | ||
| - | Let's look at the elements of the directive, and how to accomplish each with LSWS. | + | |
| - | + | ||
| - | ===== ForceSecureCookie ===== | + | |
| - | As of LSWS v 5.4.9 build 2, a new directive ''ForceSecureCookie'' has been introduced to enforce ''secure'' , ''SameSite'' and ''httponly'' cookie attributes. It can be set in the Apache config file at the server or virtual-host level, or in the ''.htaccess'' of the document root directory. | + | |
| - | + | ||
| - | ''ForceSecureCookie'' can use the following values(order doesn't matter): | + | |
| - | + | ||
| - | ''off'' ,''on''|''secure'',''httponly'',''lax''|''same_site_lax'' ,''strict''|''same_site_strict'',''same_site_none'' | + | |
| - | + | ||
| - | The ''same_site_xxxx'' values can be combined with ''secure''. | + | |
| - | + | ||
| - | ==== Examples ==== | + | |
| - | To enforce the ''secure'' attribute only: | + | |
| - | <code> | + | |
| - | ForceSecureCookie secure | + | |
| - | </code> | + | |
| - | + | ||
| - | To enforce "secure; SameSite=none;": | + | |
| - | <code> | + | |
| - | ForceSecureCookie secure same_site_none | + | |
| - | </code> | + | |
| - | + | ||
| - | To enforce "SameSite=strict" only: | + | |
| - | <code> | + | |
| - | ForceSecureCookie strict | + | |
| - | </code> | + | |
| - | or | + | |
| - | <code> | + | |
| - | ForceSecureCookie same_site_strict | + | |
| - | </code> | + | |
| - | + | ||
| - | **NOTE**: When using the above directives, please make sure to enclose them with | + | |
| - | <code> | + | |
| - | <IfModule LiteSpeed> | + | |
| - | ... | + | |
| - | </IfModule> | + | |
| - | </code> | + | |
| - | + | ||
| - | Notes: | + | |
| - | * ''secure'' flag when served over HTTPS, is automatically handled by LiteSpeed Web Server as of v5.4.5, and so it is unnecessary to use a directive for that. | + | |
| - | * HTTPOnly could also be set in ''php.ini''. For example: | + | |
| - | <code> | + | |
| - | session.cookie_httponly=On | + | |
| - | </code> | + | |