Sorry to have bothered the list with this.  I'll take a moment to describe what the problem was.  As I suspected after my second email, it had nothing to do with mod_secure, but rather just the regex in the Header directive that I got from a mod_secure example was not working.

The legacy middleware in question (Witango) was building some pretty crappy Set-Cookie headers.  For one, they had trailing semi colons, which is not part of the spec.  Also, the regex was failing with the begin line ^ and end line $ assertions.  So I suspect that Witango's cookie headers have whitespace that's likely not consistent with the platform i'm running on (Linux)

I was able to write a couple of Header directives from scratch that took care of the mess and injected the HttpOnly attribute on the cookies.

There is a silver lining here... Even though, in the end, I don't need mod_security to solve this particular issue, I'm glad I was exposed to it.  It seems to be very well documented, and might make a good addition as a WAF to my other hosting environments.

/John


On Wed, Nov 7, 2012 at 1:40 PM, John McGowan <john@lynch2.com> wrote:
Ok, I think I'm learning a little more about how the httpOnly header fix is working.  I don't think that mod_security is actually participating in what I'm trying to do.

The Header directive that I got from some mod_security examples

Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!httponly).)+)$" "$1; HttpOnly"

Is actually just an Apache thing.  (I just now realized that, I thought the Header directive was something being processed by mod_security)

So, I'll do some more experimentation with this header directive and see if it's a problem with the regex, that's causing it to not work with the headers generated by Witango.

/John


On Wed, Nov 7, 2012 at 12:43 PM, John McGowan <john@lynch2.com> wrote:
Hello,

I'm trying to come up with a fix for some legacy applications.  Specifically I need to get the httpOnly attribute set on some session cookies.  I came across some very helpful information and I've been able to successfully get mod_security installed and have it "fixing" session cookies that are created in a PHP 5.1 environment (that's not aware of the httpOnly attribute)

My next task is to accomplish the same thing, but instead of PHP, it's an old legacy middleware system that's generating the HTTP response.  When I went to test this out, the "cookie fixing" wasn't happening.  Is there something special or different that this middleware could be doing with it's apache plugin/module, that's causing it to bypass whatever would normally give mod_security a shot at modifying the result before it goes to the browser?

For what it's worth, the middleware is called Witango, (formerly known as Tango, now known as TeraScribe (by hardly anybody))

I did some reading and understand the "phases" that mod_security is capable of working in,

I'm sorry if I'm not providing enough information, here.  I'm just hoping this is enough information to start a conversation about where to go or what to look for here.

Thanks in advance,
John

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/




------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/