Since Railo/Resin does not allow session cookies to be httpOnly I've been trying to catch them with mod-security 2.7. Normally this would be done in phase:3
I can't seem to process any rules on phase:3 or 4 for that matter...
A simple rule like this:
SecRule RESPONSE_HEADERS:Set-Cookie ".+" "id:1005,log,phase:3,msg:%{matched_var}"
Logs this when visiting my rootPage:
[/][4] Initialising transaction (txid UDORCgoUBWsAADDIBB4AAAA-).
[/][4] Transaction context created (dcfg 324de8).
[/][4] First phase starting (dcfg 324de8).
[/][4] Starting phase REQUEST_HEADERS.
[/][9] This phase consists of 0 rule(s).
[/][4] Second phase starting (dcfg 324de8).
[/][4] Input filter: This request does not have a body.
[/][4] Starting phase REQUEST_BODY.
[/][9] This phase consists of 0 rule(s).
[/][4] Hook insert_filter: Adding output filter (r 15b6110).
[/][4] Initialising logging.
[/index.cfm][4] Starting phase LOGGING.
[/index.cfm][9] This phase consists of 0 rule(s).
[/index.cfm][4] Recording persistent data took 0 microseconds.
[/index.cfm][4] Audit log: Not configured to run for this request.
When visiting a static image though, phase 3 and 4 get processed normally:
[/image.png][4] Initialising transaction (txid UDORMgoUBWsAADDIBB8AAAA-).
[/image.png][4] Transaction context created (dcfg 324de8).
[/image.png][4] Hook insert_error_filter: Adding output filter (r 15ba120).
[/image.png][9] Output filter: Receiving output (f 15bba50, r 15ba120).
[/image.png][4] Starting phase RESPONSE_HEADERS.
[/image.png][9] This phase consists of 1 rule(s).
[/image.png][4] Recipe: Invoking rule 347328; [file "C:/Apache/conf/httpd.conf"] [line "525"] [id "1005"].
[/image.png][5] Rule 347328: SecRule "RESPONSE_HEADERS:Set-Cookie" "@rx .+" "phase:3,auditlog,pass,id:1005,log,msg:%{matched_var}"
[/image.png][4] Rule returned 0.
[/image.png][9] No match, not chained -> mode NEXT_RULE.
[/image.png][4] Output filter: Response body buffering is not enabled.
[/image.png][9] Content Injection: Not enabled.
[/image.png][4] Output filter: Completed receiving response body (non-buffering).
[/image.png][4] Starting phase RESPONSE_BODY.
[/image.png][9] This phase consists of 0 rule(s).
[/image.png][4] Output filter: Output forwarding complete.
[/image.png][9] Output filter: Sending input brigade directly.
[/image.png][4] Initialising logging.
[/image.png][4] Starting phase LOGGING.
[/image.png][9] This phase consists of 0 rule(s).
[/image.png][4] Recording persistent data took 0 microseconds.
[/image.png][4] Audit log: Not configured to run for this request.
I'm using mod_caucho to connect Apache to Resin