On 02/27/2013 11:36 AM, Jeannette Brown wrote: > Old web app server does not know how to add httpOnly flag to session cookie. > > Squid 2.7 is used in front of web app server in reverse proxy mode. Squid cannot modify header by adding httponly flag to an existing cookie value, but you can use an eCAP adapter (Squid v3 only) or an ICAP service (heavy) to do that. For more info, see http://wiki.squid-cache.org/SquidFaq/ContentAdaptation FWIW, Squid v3.3 has almost enough code to support this via a helper or even pure squid.conf magic, but I think we are missing response_header_add and possibly other small bits. HTH, Alex.
