Thank you Ivan. Thank you for your guidance. I will surely try that in our test environment.
 
Thanks again.
 
Regards,
Alan.

On Sat, Jun 26, 2010 at 3:59 AM, Ivan Ristic <ivan.ristic@gmail.com> wrote:
You are after the header editing capability, which is present in
Apache since 2.2.4:

   http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header

Apache will allow you to use a regular expression to parse and
decompose any header into fragments, then reassemble it via regex
backreferences.

Here's one example from my book:

   RequestHeader edit Cookie "(?i)^(PHPSESSID)=(.+)$" "DISABLED_$1=$2" \
       env=DISABLE_INBOUND_SESSION

The above example (which operates on request headers; you will want to
use just Header for response headers) will essentially change the name
of a cookie, but only if the DISABLE_INBOUND_SESSION flag is set.


On Wed, Jun 23, 2010 at 8:34 PM, Alan <saje2k@gmail.com> wrote:
> Brian Rectanus <Brian.Rectanus <at> breach.com> writes:
>
>>
>> On 06/23/2010 09:56 AM, Alan wrote:
>> > Hello,
>> >
>> > Could you please how to create a mod_security rule to remove "httpOnly"
> field
>> > from set-cookie for blackberry browsers.
>> >
>> > Thanks in advance.
>> > Alan
>>
>> Have you read through this?
>>
>> http://blog.modsecurity.org/2008/12/fixing-both-missing-httponly-and-secure-
> cookie-flags.html
>>
>> -B
>>
> Hello Brian,
>
> Thank you for your quick response. Yes I did read through the article and
> implemented it. But I am trying to remove the HTTPOnly which is already there.
> I am new to this and I don't know how to remove it.
> I tried using Header unset Set_Cookie with variable and getting Syntax error -
> header unset takes two arguments
>
> Any help would be much appreciated.
>
>
>
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>



--
Ivan Ristic
ModSecurity Handbook [http://www.modsecurityhandbook.com]
SSL Labs [https://www.ssllabs.com/ssldb/]