This is an old revision of the document!

LiteSpeed Alternative to Apache Header Edit

LiteSpeed doesn't support Apache's header edit directive, and so the following Apache directive won't work on LiteSpeed: 

Header always edit Set-Cookie (.*) "$1;HTTPOnly;Secure;SameSite=none"

Let's look at the elements of the directive, and how to accomplish each with LSWS.

Secure

The above example, which involves patching Set-Cookie with a secure flag when served over HTTPS, is automatically handled by LiteSpeed Web Server as of v5.4.5, and so it is unnecessary to use a directive for that.

HTTPOnly

For HTTPOnly settings, you should be able to use php.ini. For example: 

  session.cookie_httponly=On

ForceSecureCookie

As of LSWS v 5.4.9 build 2, a new directive ForceSecureCookie has been introduced to enforce secure , SameSite and httponly cookie attributes. It can be set in the Apache config file at the server or virtual-host level, or in the .htaccess of the document root directory.

ForceSecureCookie can use the following values(order doesn't matter):

off ,on|secure,httponly,lax|same_site_lax ,strict|same_site_strict,same_site_none

The same_site_xxxx values can be combined with secure.

Examples

To enforce the secure attribute only: 

ForceSecureCookie secure

To enforce “secure; SameSite=none;”: 

ForceSecureCookie secure same_site_none

To enforce “SameSite=strict” only: 

ForceSecureCookie strict

or 

ForceSecureCookie same_site_strict

NOTE: When using the above directives, please make sure to enclose them with 

<IfModule LiteSpeed>
...
</IfModule>
  • Admin
  • Last modified: 2021/09/20 17:35
  • by Jackson Zhang