Add HttpOnly flag to cookies on the fly with Apache?

Question

So I have a java webapp that uses tomcat with an apache proxy layer. I'm looking to make all cookies set from the app have the httpOnly flag. The problem with this is that tomcat is responsible for setting the flag from the application side and its default (in servlet api 2.5) is false. I was hoping I could set this flag for all cookies on the fly using apache.

I've been trying different combinations and the closest I have gotten is setting the last cookie passed to httpOnly which is of course wrong:

Header append Set-Cookie "; HttpOnly"

I have no way of knowing what cookies/values are going to be passed from the app. Is this even possible?

Answer 1

The following mod_headers rewrite has the benefit that it won't duplicate HttpOnly if it's already there, if that sort of thing matters to you:

  Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"

See:

• Where I originally found the above regex
• An explanation of why all those parentheses with the negative lookahead assertion, search for Finding Lines Containing or Not Containing Certain Words
• A post where I found a small improvement to the regex (search for Header edit Set-Cookie)

Answer 2

Try the following mod_headers directive.

Header edit Set-Cookie ^(.*)$ $1;HttpOnly