SameSite cookies with Apache
Updated on August 08, 2024
By Pete Freitag
By Pete Freitag
Almost two years ago I wrote about how you can enable SameSite cookies with IIS on cookies that do not have the ability to be written as SameSite. Today I was helping a client on Apache do the same thing, here's how we can add SameSite=lax
to a JSESSIONID
cookie for example:
Header edit Set-Cookie ^(JSESSIONID.*)$ $1;SameSite=lax
But suppose you just wanted to make all cookies set by your web app SameSite, you can just do this:
Header edit Set-Cookie ^(.*)$ $1;SameSite=lax
This works by appending ;SameSite=lax
to the end of all Set-Cookie
http response headers.
Please note that this requires the mod_headers
apache module to be enabled in your httpd.conf.
SameSite cookies with Apache was first published on February 10, 2020.
If you like reading about apache, samesite, or cookies then you might also like:
Discuss / Follow me on Twitter ↯
Tweet Follow @pfreitagComments
I am having an issue on an iframe pointing to a site that I control also. The issue is that when I go to the page it works but if I click on any of the links that will go to another page the session is lost. any idea why that could be?
by Anonymous on 03/31/2020 at 9:18:27 PM UTC
Hi,
Where do we have to write the below command ion linux Ubuntu
Header edit Set-Cookie ^(.*)$ $1;SameSite=lax
Where do we have to write the below command ion linux Ubuntu
Header edit Set-Cookie ^(.*)$ $1;SameSite=lax
by Haresh on 05/14/2020 at 7:57:15 AM UTC
@Haresh - you would put this in the httpd.conf file if you want it to be global to all sites, or inside a VirtualHost if you want it to be specific to a certain site.
@Anonymous - Sounds like you might be using SameSite=strict try using lax instead.
@Anonymous - Sounds like you might be using SameSite=strict try using lax instead.
by Pete Freitag on 05/14/2020 at 3:00:40 PM UTC
I've tried adding this to both the httpd.conf and for a VirtualHost's conf and it seems to have no affect. I'm trying to set SameSite=None;Secure; as the site is being served in an iframe on another site (example.com has test.com embedded)
I'm using wget to load a page locally but the end of CFID/CFTOKEN/JSESSIONID are all "Secure; HttpOnly;" which is set in the CFIDE. I thought these apache rules would override that.
I've tried adding "always" to the start of the line as well, e.g. "Header always edit..." buy that again makes no difference.
I'm on apache 2.2.15 so I think it's supported. Any idea what I might be missing?
I'm using wget to load a page locally but the end of CFID/CFTOKEN/JSESSIONID are all "Secure; HttpOnly;" which is set in the CFIDE. I thought these apache rules would override that.
I've tried adding "always" to the start of the line as well, e.g. "Header always edit..." buy that again makes no difference.
I'm on apache 2.2.15 so I think it's supported. Any idea what I might be missing?
by Peter Williamson on 08/07/2020 at 10:45:48 AM UTC
thanks. should be noted that this solution required mod_headers to be enabled : https://httpd.apache.org/docs/current/mod/mod_headers.html
by nir on 10/16/2020 at 12:29:39 AM UTC