how to set HttpOnly and Secure flag set in apache2.4.6 and tomcat

Kobra Ghahremani picture Kobra Ghahremani · Dec 22, 2013 · Viewed 12.8k times · Source

I have an apache2.4.6 and dotcms2.3.2 in suselinux. I want to set httponly and secure falg in dotcms and tomcat . I set these configurations in apache and tomcat: <Context useHttpOnly="true"> in context.xml <Connector maxThreads="400" connectionTimeout="3000" port="8080" protocol="HTTP/1.1" redirectPort="8443" URIEncoding="UTF-8" secure="true" /> in server.xml

Header edit Set-Cookie ^(.*)$ $1;HttpOnly   

or

Header set Set-Cookie HttpOnly;Secure

in httpd.conf.

after that restart tomcat and test with burp suite , but it does't set in cookie .

Answer

Ferris picture Ferris · Jul 25, 2017
Header set Set-Cookie HttpOnly;Secure 

in httpd.conf works.