Support » Plugin: HTTP Headers » Cookie Security won’t set

  • Resolved morris373


    I have set the Cookie Security to On with the following settings Secure, HttpOnly and samesite=Lax.

    When I save it, it doesn’t appear in the Http Headers in the .htaccess file. Should it save the settings there or does it do something else?



Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Dimitar Ivanov


    If your server API is some CGI then the settings you’ve mentioned above should be stored in your user-ini.filename

    session.cookie_httponly = on
    session.cookie_secure = on
    session.cookie_samesite = "Lax"

    otherwise in your .htaccess file:

    php_flag session.cookie_httponly on
    php_flag session.cookie_secure on
    php_value session.cookie_samesite Lax

    So, I guess you’re using some CGI SAPI.

    Hi Dimitar
    Thank you for your quick reply.

    I needed the 2nd one as I am using the .htaccess file.

    I have added it in and saved the file.

    The website results I need help with:

    When I run Observatory by Mozilla and under Test Scores, it says ‘Session cookie set without using the HttpOnly flag’. I thought by adding the lines above would have set it up correctly using HttpOnly.

    Looking at the Cookies further down, PHPSESSID is not Secure or HttpOnly, also cf7mm_check is not Secure or HttpOnly either.

    So I don’t understand with what’s going on or even if it has gone wrong somewhere. I did manage to add `Header set set-cookie path=/;secure;HttpOnly;samesite=lax and that shows up in the results.

    How can we fix PHPSESSID and cf7mm_check to be secure and HttpOnly?


    Hi Dimitar
    I found this piece of code on this website ( that I added to the .htaccess file:

    Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"

    And it worked, the Observatory Results now gives me a Tick. When I check the Cookies section of the report both HttpOnly and Secure is ticked.

    Test Scores now read: All cookies use the Secure flag, session cookies use the HttpOnly flag, and cross-origin restrictions are in place via the SameSite flag.

    Maybe you could add that line into your plugin….


    Hi Dimitar
    You can also add samesite=lax or strict like below:

    Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure;samesite=lax"


    Plugin Author Dimitar Ivanov


    Hi @morris373

    Definitely I will consider your suggestion on very next release.




    Set cookie security is not functioning for me either.

    Not sure what do do with the code above or where to put it.

    How would I write a line to go in the FilesMatch so that I get:

    SameSite=None Secure

    I tried several combinations and it just won’t write it to my .htaccess file

    Header set Cookie-Security “SameSite=None; ‘secure'”

    I’m trying to solve this:

    A cookie associated with a cross-site resource at <URL> was set without the SameSite attribute.
    cookies with cross-site requests require SameSite=None and Secure.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.