Thanks it worked for me! :-)
________________________________ From: Eric Covener <cove...@gmail.com> Sent: Sunday, October 25, 2020, 9:29 AM To: users@httpd.apache.org Subject: Re: [users@httpd] set httponly flag for only "session" cookie CAUTION: External email. Please do not click on links/attachments unless you recognize the sender. try adapting the commented example here for samesite: https://github.com/covener/apache-samesite/blob/master/samesite-global.conf On Sat, Oct 24, 2020 at 10:01 PM Sathish Vijayan <sathish.vija...@tre.se<mailto:sathish.vija...@tre.se>> wrote: Hi! I am using form based authenciation and enabled a session cookie to store the user session with username and password as below. And trying to set httponly flag for only “session” cookie. Please help to solve this with a configuration in apache 2.4.25 version. AuthType form AuthName "TEST" AuthUserFile /user/passwords AuthGroupFile /user/groups AuthFormLoginRequiredLocation /login/login.html AuthFormFakeBasicAuth On Session On SessionCryptoPassphrase secret SessionCookieName session path=/;httponly;secure; Require valid-user Developer tool: [cid:1755edf70916917eb1] Please note: I don’t want to set the httponly flag for other cookies. I tried the below but It enables the httponly flag for all cookies, while browsing the webpage : <IfModule headers_module> Header edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure" Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly" Or Header edit Set-Cookie ^(.*)$ $1;HttpOnly;secure </IfModule> Regards, Sathish Vijayan Det här e-postmeddelandet kan innehålla personuppgifter om dig som sändare eller mottagare samt om andra personer. Information om hur vi på Tre behandlar personuppgifter finns att läsa på www.tre.se/gdpr<http://www.tre.se/gdpr>. -- Eric Covener cove...@gmail.com<mailto:cove...@gmail.com>