From: J Amuse []
Sent: Tuesday, January 29, 2008 10:49 AM
To: Ryan Barnett
Subject: Re: [mod-security-users] changing session token attributes



On Jan 29, 2008 4:18 PM, Ryan Barnett <> wrote:

In the current version of ModSecurity, you can not edit/manipulate outbound data.

I'm new to ModSecurity, so please excuse me if I totally misunderstood. I previously asked a question on the list about CSRF protection mechanisms and Ivan Ristic responded that I could inject nonces into forms via ModSecurity, so I understood from that that you could manipulate outbound data. What am I missing?

[Ryan Barnett] The answer is in the following section of my original response J  You can use content injection to inject new data into response body data.  For your scenario, you want to add data to the response headers (cookie header specifically) and you can not currently do that with Mod.

- J

 The exception here is the new Content Injection actions in Mod 2.5, however that is for response body data and it can not manipulate response headers.


In order to do what you need, you will probably need to use mod_headers -


Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Training

Web Application Security Consortium (WASC) Member

CIS Apache Benchmark Project Lead


Author: Preventing Web Attacks with Apache


From: [] On Behalf Of J Amuse
Sent: Tuesday, January 29, 2008 8:50 AM
Subject: [mod-security-users] changing session token attributes


I want to create a rule to rewrite a cookie's attributes, i.e. add secure and HttpOnly flags and reset the path to a different directory. I figure I can use the RESPONSE_HEADERS variable, but I'm not sure how to go about creating a rule to rewrite content. Can someone point me to an example?

 - J