Apache: incap_ses_* cookie is Secure but not HttpOnly, whereas visid_incap_* have both flags

Question

I have an Apache server that hosts a Wordpress webpage. I modified my mod_headers to set the Secure and HttpOnly flag to all the cookies. My configuration is as follows:

<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
    Header set Referrer-Policy "no-referrer-when-downgrade"
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>

For some reason the incap_ses cookie only appears with the Secure flag, and the visid_incap have both Secure and HttpOnly flags.

Is there a reason why that specific cookie (incap_ses) doesn't appear with the HttpOnly flag too?

score 1 · Answer 1 · answered Jan 12 '21 at 04:38

Here are a few ways to fix this.
Try always in front of edit i.e. always edit
Also make sure that you list a line uses always before any lines that has just use edit
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"

But best practice would be to handle this in a PHP file. Then add something like this to the .htaccess.

Header set Set-Cookie HttpOnly;Secure
# END WordPress
# BEGIN HttpHeaders
php_flag session.cookie_httponly on
php_flag session.cookie_secure on
# END HttpHeadersCookie

Apache: incap_ses_* cookie is Secure but not HttpOnly, whereas visid_incap_* have both flags

1 Answers1