Add `SameSite` part to the Set-Cookie header

theuargb · June 14, 2023, 6:26am

1. The problem I’m having:

I have an upstream server setting PHPSESSID cookie with Set-Cookie header in a format like PHPSESSID=1sqkri8n8l0jioth9l5mie4vk1; path=/

I want to suffix this value with ; SameSite=None; Secure

I tried humongous GPT-generated) configs to try to achieve that - it won’t. It either does nothing either returns 2 Set-Cookie headers - original one and the ; SameSite=None one separately.

2. Error messages and/or full log output:

2023/06/14 06:21:04.161	INFO	using adjacent Caddyfile
2023/06/14 06:21:04.162	WARN	Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies	{"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2023/06/14 06:21:04.163	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/06/14 06:21:04.164	INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc000445650"}
2023/06/14 06:21:04.165	INFO	http.log	server running	{"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/06/14 06:21:04.165	INFO	tls	cleaning storage unit	{"description": "FileStorage:/home/theuargb/.local/share/caddy"}
2023/06/14 06:21:04.165	INFO	tls	finished cleaning storage units
2023/06/14 06:21:04.165	INFO	autosaved config (load with --resume flag)	{"file": "/home/theuargb/.config/caddy/autosave.json"}
2023/06/14 06:21:04.165	INFO	serving initial configuration

3. Caddy version:

2.6.4

4. How I installed and ran Caddy:

a. System environment:

Fedora (native)

b. Command:

./caddy run

d. My complete Caddy config:

http://localhost:7777 {
    reverse_proxy some.backend.com {
        header_up Host {upstream_hostport}
    }
    header {
        Set-Cookie "PHPSESSID={http.request.cookie.PHPSESSID}; path=/; SameSite=None; Secure;"
    }
}

http://localhost:7777 {
    reverse_proxy some.backend.com {
        header_up Host {upstream_hostport}
    }

    header {
        Set-Cookie {http.request.header.Set-Cookie}{", SameSite=None"}
        defer
    }
}

francislavoie · June 15, 2023, 2:01am

I can’t recommend ChatGPT for Caddy configs. It doesn’t know how to differentiate between Caddy v1 and v2 configs, which are not the same at all since v2 was a complete rewrite. It can do a decent job at explaining concepts, but it doesn’t understand that it should ignore content before 2020 as irrelevant.

You can do this:

    header {
        Set-Cookie (.*) "$1; SameSite=None; Secure"
        defer
    }

The docs unfortunately don’t show an example like this, but I think it should. I’ll update it as such.

Worth noting, the defer is necessary so that the header operation happens after the handler that writes the response runs (i.e. after PHP runs) otherwise by default it will try to perform the replacement right away (before) but there’s no header to replace yet.

Also, I just opened a quick PR to make the syntax shorter (should land in v2.7.0) headers: Allow `>` defer shortcut for replacements by francislavoie · Pull Request #5574 · caddyserver/caddy · GitHub

system · July 15, 2023, 2:01am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.