Support » Plugin: HTTP Headers » Cookie Security won’t set

  • Resolved morris373

    (@morris373)


    Hi
    I have set the Cookie Security to On with the following settings Secure, HttpOnly and samesite=Lax.

    When I save it, it doesn’t appear in the Http Headers in the .htaccess file. Should it save the settings there or does it do something else?

    Thanks

    Morris

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Dimitar Ivanov

    (@zinoui)

    If your server API is some CGI then the settings you’ve mentioned above should be stored in your user-ini.filename

    session.cookie_httponly = on
    session.cookie_secure = on
    session.cookie_samesite = "Lax"

    otherwise in your .htaccess file:

    php_flag session.cookie_httponly on
    php_flag session.cookie_secure on
    php_value session.cookie_samesite Lax

    So, I guess you’re using some CGI SAPI.

    Hi Dimitar
    Thank you for your quick reply.

    I needed the 2nd one as I am using the .htaccess file.

    I have added it in and saved the file.

    The website results I need help with: https://observatory.mozilla.org/analyze/friendsofllandyfeisantchurch.org

    When I run Observatory by Mozilla and under Test Scores, it says ‘Session cookie set without using the HttpOnly flag’. I thought by adding the lines above would have set it up correctly using HttpOnly.

    Looking at the Cookies further down, PHPSESSID is not Secure or HttpOnly, also cf7mm_check is not Secure or HttpOnly either.

    So I don’t understand with what’s going on or even if it has gone wrong somewhere. I did manage to add `Header set set-cookie path=/;secure;HttpOnly;samesite=lax and that shows up in the results.

    How can we fix PHPSESSID and cf7mm_check to be secure and HttpOnly?

    Morris

    Hi Dimitar
    I found this piece of code on this website (https://www.tunetheweb.com/security/http-security-headers/secure-cookies/) that I added to the .htaccess file:

    Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"

    And it worked, the Observatory Results now gives me a Tick. When I check the Cookies section of the report both HttpOnly and Secure is ticked.

    Test Scores now read: All cookies use the Secure flag, session cookies use the HttpOnly flag, and cross-origin restrictions are in place via the SameSite flag.

    Maybe you could add that line into your plugin….

    Morris

    Hi Dimitar
    You can also add samesite=lax or strict like below:

    Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure;samesite=lax"

    Morris

    Plugin Author Dimitar Ivanov

    (@zinoui)

    Hi @morris373

    Definitely I will consider your suggestion on very next release.

    Thanks

    VentureCore

    (@manakio2k)

    Set cookie security is not functioning for me either.

    Not sure what do do with the code above or where to put it.

    How would I write a line to go in the FilesMatch so that I get:

    SameSite=None Secure

    I tried several combinations and it just won’t write it to my .htaccess file

    e.g.
    Header set Cookie-Security “SameSite=None; ‘secure'”

    I’m trying to solve this:

    A cookie associated with a cross-site resource at <URL> was set without the SameSite attribute.
    cookies with cross-site requests require SameSite=None and Secure.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.