Ok, I think I'm learning a little more about how the httpOnly header fix is working.  I don't think that mod_security is actually participating in what I'm trying to do.

The Header directive that I got from some mod_security examples

Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!httponly).)+)$" "$1; HttpOnly"

Is actually just an Apache thing.  (I just now realized that, I thought the Header directive was something being processed by mod_security)

So, I'll do some more experimentation with this header directive and see if it's a problem with the regex, that's causing it to not work with the headers generated by Witango.


On Wed, Nov 7, 2012 at 12:43 PM, John McGowan <john@lynch2.com> wrote:

I'm trying to come up with a fix for some legacy applications.  Specifically I need to get the httpOnly attribute set on some session cookies.  I came across some very helpful information and I've been able to successfully get mod_security installed and have it "fixing" session cookies that are created in a PHP 5.1 environment (that's not aware of the httpOnly attribute)

My next task is to accomplish the same thing, but instead of PHP, it's an old legacy middleware system that's generating the HTTP response.  When I went to test this out, the "cookie fixing" wasn't happening.  Is there something special or different that this middleware could be doing with it's apache plugin/module, that's causing it to bypass whatever would normally give mod_security a shot at modifying the result before it goes to the browser?

For what it's worth, the middleware is called Witango, (formerly known as Tango, now known as TeraScribe (by hardly anybody))

I did some reading and understand the "phases" that mod_security is capable of working in,

I'm sorry if I'm not providing enough information, here.  I'm just hoping this is enough information to start a conversation about where to go or what to look for here.

Thanks in advance,

LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:

John McGowan

792 West Bartlett Road
Bartlett, Illinois 60103

w:847-608-6900 Ext 4110