The ForceSecureCookie Directive

Header Edit Set-Cookie Alternative

If you have past experience with Apache, you may have used a Header edit directive such as this to adjust cookie attributes:

Header always edit Set-Cookie (.*) "$1;HTTPOnly;Secure;SameSite=none"

LiteSpeed Web Server does not support Header edit Set-Cookie directives, but there is an alternative way to deal with cookie attributes. First, let’s look at what this directive does:

In English, it’s saying:

If there is a Set-Cookie header, append HTTPOnly;Secure;SameSite=none to the list of existing attributes on that header.

While you can’t use the Header edit directive with LiteSpeed Web Server, you can use ForceSecureCookie.

What the Cookie Attributes Mean

The HTTPOnly tag prevents client-side scripts from accessing the cookie.

The Secure tag prevents the cookie from being sent over HTTP. It may only be sent via a secure HTTPS connection.

SameSite governs the usage of cookies in a first-party or third-party context. SameSite=none specifically states that the cookie is for third-party usage. Other options are strict, which indicates first-party only, and lax which means the cookie may be sent from another site, if it is referencing your site’s content.

Using ForceSecureCookie

LiteSpeed Web Server introduced the ForceSecureCookie directive in v5.4.9b2, and expanded it in v5.4.10b2. You may use ForceSecureCookie in lieu of Apache edit for HTTPOnly, Secure, and SameSite attributes.

Set ForceSecureCookie in the Apache config file at the server or virtual-host level, or in the .htaccess of the document root directory, and assign one or more of the following values:

  • off
  • on or secure
  • httponly
  • same_site_lax or lax
  • same_site_strict or strict
  • same_site_none

(You can combine same_site_xxxx values with secure and httponly.)

So, to return to the example at the beginning of this article, we would replace this:

Header always edit Set-Cookie (.*) "$1;HTTPOnly;Secure;SameSite=none"

with this:

ForceSecureCookie httponly secure same_site_none

As always, when using LiteSpeed-only directives, be sure to place them between <IfModule LiteSpeed>/</IfModule> tags.

More Examples

Enforce the secure attribute only:

<IfModule LiteSpeed>
ForceSecureCookie secure
</IfModule>

The secure; SameSite=none attributes:

<IfModule LiteSpeed>
ForceSecureCookie secure same_site_none
</IfModule>

The SameSite=strict attribute only:

<IfModule LiteSpeed>
ForceSecureCookie strict
</IfModule>

or

<IfModule LiteSpeed>
ForceSecureCookie same_site_strict
</IfModule>


Related Posts


Comments