Cookie Does Not Contain The "secure" Attribute

We have to get like this secure tag.We added script in httpd.conf but still doesnt show We tried lots of scripts combinations.One of them did it but this time, apache didn't start.Any suggestion would be nice
(By the way mod_header exist and working)
I tried those scripts one by one.

#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
#Header set Set-Cookie HttpOnly;Secure ---------------------------------------> only this works it but when we activated it.Site login patch doesnt appear(login patch have to come)
#Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
#Header always edit Set-Cookie "(?i)^((??!;\s?HttpOnly).)+)$" "$1; HttpOnly"
#Header always edit Set-Cookie "(?i)^((??!;\s?secure).)+)$" "$1; secure"


Our server result:

For those who are confused, this question references Apache httpd server, not Apache Tomcat.


Here's a good document on the http only attribute:

https://www.owasp.org/index.php/HttpOnly

And on the "secure" atttribute:

https://www.owasp.org/index.php/SecureFlag

What you are calling "scripts", I believe are actually mod_header transformation rules. I recommend that you wrap Code tags (the message editor has a Code button) around your sample text so that the message display formatter doesn't make them unreadable. Also, please paste actual text (again, using Code tags), not screen shots. It will help people read the message easier.

Beyond, that, you seem to be saying that it works except for something called the "site login patch". I don't know what that is, so I can't help on that.

Tim Holloway wrote:For those who are confused, this question references Apache httpd server, not Apache Tomcat.


Here's a good document on the http only attribute:

https://www.owasp.org/index.php/HttpOnly

And on the "secure" atttribute:

https://www.owasp.org/index.php/SecureFlag

What you are calling "scripts", I believe are actually mod_header transformation rules. I recommend that you wrap Code tags (the message editor has a Code button) around your sample text so that the message display formatter doesn't make them unreadable. Also, please paste actual text (again, using Code tags), not screen shots. It will help people read the message easier.

Beyond, that, you seem to be saying that it works except for something called the "site login patch". I don't know what that is, so I can't help on that.

Hey Tim,
I wrote the above combinations but it didnt work.We cant intervention code side.We are just managing this servers.We have to do it, its demand of our customer