User mod header for only responses setting cookies

Forum Moderators: phranque

Message Too Old, No Replies

User mod header for only responses setting cookies

dfresh4130

2:09 pm on Oct 29, 2012 (gmt 0)

So we have a foreign site that's pulling in a cookie and login widget from our domestic site. Since the foreign site is .de, but our domestic site is .com it treats our login widget request as a third party cookie. To get around this we're using mod_header in apache 2.2 which works, but it's being set on every request. We'd like to find a way for it to only be set on responses that are setting cookies. Below is what we have currently. Is there any way to narrow it down? Thanks

Header set P3P 'CP="This is not a P3P policy! See our privacy statement here http://www.example.com/example/cms/lang/en/site/products/home/privacy-statement"

dfresh4130

7:31 pm on Oct 29, 2012 (gmt 0)

I'm thinking it's possible to create an ifModule statement like below if there's a set-cookie directive in the request. Does anyone have any suggestions on how the syntax would work for something like below?


<IfModule mod_headers>
 [Some command to check if Set-Cookie is being sent]
 Header set P3P 'CP="This is not a P3P policy! See our privacy statement here http://www.example.com/example/cms/lang/en/site/products/home/privacy-statement"
</IfModule>

vincevincevince

2:53 am on Nov 1, 2012 (gmt 0)

All I can think of is using mod_rewrite and a rewriterule to detect the presence of the cookie in the headers, then redirecting (internally?) to something which will set the P3P as required.

lucy24

4:46 am on Nov 1, 2012 (gmt 0)

I'm thinking it's possible to create an ifModule statement like below

There is no reason for the "ifModule" envelope. Either you've got the module or you don't. And if you don't, you'll need to make a different rule.

I keep wondering whether this counts as a third-party cookie and hence something the EU would raise a stink about. In fact it may be a problem anyway. I don't know what the ordinary browser default is, but I know that mine only accepts direct cookies ("from sites I visit"). I'm pretty sure that was the default.