我在网站上使用 Apache 2.2.29。apache 既可以为来自 Drupal 的页面提供服务,也可以作为内部应用程序服务器的反向代理。出于安全原因,我们希望为发送给客户端的所有 cookie 添加标志 HttpOnly 和安全。为了做到这一点,我在 apache 中设置了以下规则
Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
Header edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure"
对于某些 cookie,这工作正常,但其他 cookie 没有被修改。查看响应标题,我看到以下内容:
HTTP/1.1 200 OK
Date: Thu, 20 Nov 2014 22:50:01 GMT
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 20 Nov 2014 22:50:01 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Set-Cookie: SESSbfb02014bca2e49545c2cacd8a8cfcfa=perqn1l3mn2saselmabnn4vla7; expires=Sun, 14-Dec-2014 02:23:21 GMT; path=/; domain=.www6.server.com; HttpOnly; secure
Set-Cookie: textsize=100; expires=Fri, 20-Nov-2015 22:50:02 GMT; path=/; HttpOnly; secure
X-Cnection: close …