4

I use mod_rewrite to set some cookies and then redirect the user to the target url. As these cookies are used in a third party environment, I have to set the flag SameSite=none. I tried to edit the Set-Cookie header via mod_headers, but I didn't get it to work.

My Apache config:

<VirtualHost *:80>
  ServerName www.example.test
  RewriteEngine on
  RewriteRule ^/test/(.*)$  /test/$1  [CO=cookie1:1:.example.test:86400:/:true:true]
  RewriteRule ^/test/(.*)$  /test/$1  [CO=cookie2:$1:.example.test:86400:/:true:true]
  RewriteRule ^/test/(.*)$ http://www.example.test/test2/$1 [R,L]
  Header always edit Set-Cookie ^(.*)$ "$1; SameSite=none"
  Header always set X-Foo "bar"
  Header always edit X-Foo ^(.*)$ "$1; SameSite=none"
</VirtualHost>

My test request:

Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Found
  Date: Tue, 04 Feb 2020 09:12:23 GMT
  Server: Apache/2.4.6 (CentOS) PHP/7.2.27
  X-Foo: bar; SameSite=none
  Set-Cookie: cookie1=1; path=/; domain=.example.test; expires=Sat, 04-Apr-2020 09:12:23 GMT; secure; HttpOnly
  Set-Cookie: cookie2=0815; path=/; domain=.example.test; expires=Sat, 04-Apr-2020 09:12:23 GMT; secure; HttpOnly
  Location: http://www.example.test/test2/0815
  Content-Length: 218
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1
Cookie coming from 127.0.0.1 attempted to set domain to 127.0.0.1
Cookie coming from 127.0.0.1 attempted to set domain to 127.0.0.1
Location: http://www.example.test/test2/0815

Why is the X-Foo header edited, but the Set-Cookie headers are not?

Xoldomir
  • 71
  • 1
  • 4

1 Answers1

3

I finally got it - you can set the SameSite flag in the RewriteRule:

<VirtualHost *:80>
  ServerName www.example.test

  RewriteEngine on

  RewriteRule ^/test/(.*)$  /test/$1  [CO=cookie1:1;\ SameSite=none:.example.test:86400:/:true:true]
  RewriteRule ^/test/(.*)$  /test/$1  [CO=cookie2:$1;\ SameSite=none:.example.test:86400:/:true:true]

  RewriteRule ^/test/(.*)$ http://www.example.test/test2/$1 [R,L]

</VirtualHost>

Now I get the following response:

wget --server-response --header "Host: www.example.test" "http://127.0.0.1/test/0815"
--2020-02-05 11:15:15--  http://127.0.0.1/test/0815
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Found
  Date: Wed, 05 Feb 2020 10:15:15 GMT
  Server: Apache/2.4.6 (CentOS) PHP/7.2.27
  Set-Cookie: cookie1=1; SameSite=none; path=/; domain=.example.test; expires=Sun, 05-Apr-2020 10:15:15 GMT; secure; HttpOnly
  Set-Cookie: cookie2=0815; SameSite=none; path=/; domain=.example.test; expires=Sun, 05-Apr-2020 10:15:15 GMT; secure; HttpOnly
  Location: http://www.example.test/test2/0815
  Content-Length: 218
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1
Cookie coming from 127.0.0.1 attempted to set domain to 127.0.0.1
Cookie coming from 127.0.0.1 attempted to set domain to 127.0.0.1
Location: http://www.example.test/test2/0815 [following]
Xoldomir
  • 71
  • 1
  • 4