Issue
I have a Apache 2.4 and Tomcat 9 setup. I need to set the SameSite attribute on the JSESSIONID cookie.
Using Fiddler, I can see that the cookies is set as follows when I login;
Set-Cookie: JSESSIONID=XXXXXXXXXXX; Path=/prod1; Secure; HttpOnly
I also want to set the SameSite Attribute on the cookie using Apache. I have the following in vhost conf, but this doesn't seem to work.
Header always edit* Set-Cookie "^(JSESSIONID.*)$" $1;SameSite=Lax
I know that the Header directive works as I have set other attributes (not on cookies) just above this line. However, this doesn't seem to work. I've tried a few variations, but can't seem to get this working.
Any suggestions?
Solution
With some more trial and error I found that removing the always condition works and the JSESIONID cookie has the SameSite Attribute.
Looking at the Apache mod_headers documentation, the reason is not clear. The documentation says
always is not a superset of onsuccess with respect to existing headers
However, doesn't give much details. Ref: Apache Module mod_headers
Answered By - hoz