[SOLVED]How to set httponly--OC3.x/litespeed/Apache (Journal 3)

Hello, everyone,

I try to set up httponly for cookies, no matter I set in php.ini or .htaccess file, it doesn't work.

My website: Opencart 3.0.3.2 + Journal 3 them.
Server info: Apache 2.4/ litespeed/php7.3

Litespeed said' In Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure, edit is not supported'

https://www.litespeedtech.com/support/w ... es_by_lsws

What shall I do?

Thanks in advance!

You will probably have to find setcookie in the PHP files and add the flags you need.

For example these two locations for a start.
https://github.com/opencart/opencart/bl ... k.php#L108
https://github.com/opencart/opencart/bl ... on.php#L25

Dear @ADD Creative,

Thanks for your help.
I think your idea is right. My server said that‘By default LiteSpeed has the Set-Cookie with a secure flag when served over HTTPS. It looks like these settings are actually being overwritten by the OpenCart script’.

According to your suggestion, I add 'ini_get('session.cookie_httponly')' to the files you mentioned. and set 'session.cookie_httponly = On' in php.ini flie. But still can't get the desired result.

I don't know if my settings are correct, I hope to get your further guidance.

Thanks again!

You can't use session.cookie_httponly as this only affects the session cookie that OpenCart 3 does not use. You have to actually change the code.

Dear @ADD Creative,

Thanks for your help.
This issue maybe related to Journal theme also. If need your further help, I will contact you.

Thanks again.

This post may be helpful. viewtopic.php?f=202&t=219596#p796736

Sorry for late reply. Thanks for your suggestion. I have modified this issue.