: Using mod_rewrite to access httpOnly cookie? I have Apache running as a secure proxy (Port 443) between an HTTPS site and the rest of the world. This site is setting a secure, httpOnly cookie.

@Ogunnowo487

On the response, I am not able to see this rule trigger [NewCookie is not set]


mod_rewrite only works on the request. So you can't check for the Cookie being set on the response, if that is what you are trying to do?

If your mod_rewrite directives don't appear to be doing anything against the request sent from the client then it would seem either the cookie is not being sent back, or it is failing to set the NewCookie (eg. client rejects it because of domain mismatch?)

You could perhaps check to see if your directive is being processed, by setting an environment variable and checking for the existence of this in your server-side code. For example:

[L,CO=NewCookie:%1:our.proxy.com:1440:/,E=TRIED_TO_SET_COOKIE:YES]



RewriteRule ^(.*)$ /



Note that if you just want to set the cookie, without any URL rewriting then simply use - (hyphen) as the substitution (special feature). This can then be simplified to:

RewriteRule ^ -



Question: Does mod_rewrite explicitly forbid access to httpOnly cookie?


No. mod_rewrite will see the cookie if it is sent in the request.

Vote Up Vote Down