How to remove a cookie in Apache

Question

I need to remove a cookie from the HTTP request that gets to the server. Doing it on the client (that writes this cookie) or on the server (that reads it) is not an option. I have Apache 2.0 that proxies requests between client and the server, so I was hoping to remove the cookie right there in Apache using mod_rewrite.

My question is, is there a way to remove a certain cookie from the HTTP request using mod_rewrite?

If not possible to remove just one cookie then as a last resort to remove all cookies from the request?

I am open to other suggestions of how to accomplish this if mod_rewrite is not the right tool for this task.

you can rewrite cookies using mod_rewrite using the CO flag – Tom Feb 13 '12 at 05:38 — Tom, Feb 13 '12 at 05:38

Andy · Accepted Answer · 2014-04-11T16:43:36.920

30

Apache mod_rewrite allows manipulation of URLs but not of HTTP headers, however 'mod_headers' will let you do that.

So, you could use:

RequestHeader unset Cookie

This will strip all cookies from the request. I'm not sure if its possible to remove just a particular cookie using this technique.

Alternatively, you can stop cookies being passed back to the client using:

Header unset Set-Cookie

if that's more appropriate.

edited Apr 11 '14 at 16:43

answered Nov 25 '09 at 17:44

Andy

8,870
1
31
39

It is possible to set cookies with mod\_rewrite. But as far as I know only for the response to the client. – Gumbo Nov 26 '09 at 16:31

score 11 · Answer 2 · answered Nov 21 '13 at 14:18

11

With Apache > 2.2.4, you could have used :

RequestHeader edit Cookie "^(.*?)ANY_COOKIE=.*?;(.*)$" $1$2

answered Nov 21 '13 at 14:18

Anthony O.

22,041
18
107
163

4

This: `RequestHeader edit Cookie "^(.*?)ssosession=.*?(?:$|;)(.*)$" $1$2` works even if the header does not end with a `;`. – Simon May 22 '14 at 15:13
4

`RequestHeader edit cookie ANY_COOKIE=[^;]*?($|;) ""` should also work: this way you don't have to capture the prefix/postfix parts and put them back. – Coke Feb 05 '18 at 21:44

Vivek Singh CHAUHAN · Answer 3 · 2011-07-15T11:12:25.707

9

You can manage specific cookies using following statements in apache reverse proxy configurations:

To remove any specific cookie you can use:
'Header add Set-Cookie "ANY_COOKIE='';expires='SOME_DATE_IN_PAST'; Max-Age=0; Path=COOKIE_PATH"'

By specifying past date, you tell the browser that the cookie has expired and browser will discard the cookie.

To add any cookie you can use:
'Header add Set-Cookie "ANY_COOKIE='ANY_VALUE';expires='SOME_FUTURE_DATE'; Path=COOKIE_PATH"'

Be sure that you specify the some future date. If you do not specify any date, the cookie will be treated as session cookie.

Try using the following to remove specific cookie from request:

'RequestHeader add Cookie "ANY_COOKIE='';expires='SOME_PAST_DATE'; Path=COOKIE_PATH"'

edited Jul 15 '11 at 11:12

answered Jul 11 '11 at 12:06

Vivek Singh CHAUHAN

1,007
1
9
9

1

Try using the following to remove specific cookie from request: **'RequestHeader add Cookie "ANY_COOKIE='';expires='SOME_PAST_DATE'; Path=COOKIE_PATH"'** – Vivek Singh CHAUHAN Jul 15 '11 at 10:31
I think RequestHeader add Cookie will actually create 3 cookies for you. (ANY_COOKIE, expired and Path) which might not be what you want. – Valentin Despa May 31 '16 at 14:03

score 1 · Answer 4 · answered Nov 16 '17 at 12:02

1

I use this to unset all cookies (good to serve static content)

Header unset Cookie
Header unset Set-Cookie

answered Nov 16 '17 at 12:02

Dylan B

796
8
16

How to remove a cookie in Apache

4 Answers4

Linked