Pete Freitag Pete Freitag

SameSite cookies with Apache

Published on February 10, 2020
By Pete Freitag
web

Almost two years ago I wrote about how you can enable SameSite cookies with IIS on cookies that do not have the ability to be written as SameSite. Today I was helping a client on Apache do the same thing, here's how we can add SameSite=lax to a JSESSIONID cookie for example:

Header edit Set-Cookie ^(JSESSIONID.*)$ $1;SameSite=lax

But suppose you just wanted to make all cookies set by your web app SameSite, you can just do this:

Header edit Set-Cookie ^(.*)$ $1;SameSite=lax

This works by appending ;SameSite=lax to the end of all Set-Cookie http response headers.



apache samesite cookies

SameSite cookies with Apache was first published on February 10, 2020.

If you like reading about apache, samesite, or cookies then you might also like:

Discuss / Follow me on Twitter ↯

Comments

I am having an issue on an iframe pointing to a site that I control also. The issue is that when I go to the page it works but if I click on any of the links that will go to another page the session is lost. any idea why that could be?
by Anonymous on 03/31/2020 at 9:18:27 PM UTC
Hi,
Where do we have to write the below command ion linux Ubuntu

Header edit Set-Cookie ^(.*)$ $1;SameSite=lax
by Haresh on 05/14/2020 at 7:57:15 AM UTC
@Haresh - you would put this in the httpd.conf file if you want it to be global to all sites, or inside a VirtualHost if you want it to be specific to a certain site.

@Anonymous - Sounds like you might be using SameSite=strict try using lax instead.
by Pete Freitag on 05/14/2020 at 3:00:40 PM UTC
I've tried adding this to both the httpd.conf and for a VirtualHost's conf and it seems to have no affect. I'm trying to set SameSite=None;Secure; as the site is being served in an iframe on another site (example.com has test.com embedded)

I'm using wget to load a page locally but the end of CFID/CFTOKEN/JSESSIONID are all "Secure; HttpOnly;" which is set in the CFIDE. I thought these apache rules would override that.

I've tried adding "always" to the start of the line as well, e.g. "Header always edit..." buy that again makes no difference.

I'm on apache 2.2.15 so I think it's supported. Any idea what I might be missing?
by Peter Williamson on 08/07/2020 at 10:45:48 AM UTC
thanks. should be noted that this solution required mod_headers to be enabled : https://httpd.apache.org/docs/current/mod/mod_headers.html
by nir on 10/16/2020 at 12:29:39 AM UTC