Due to PCI regulations, most cookies in my application need to be secure and httponly. I have achieved that through this line in my Apache config file:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
However this breaks part of the application where a single cookie, let's call it foobar, must be read by javascript. Therefore I need to remove the httponly for this cookie only.
I've played around with several approaches including mod_rewrite but I can't get the httponly to drop off the cookie. I don't want to reset the value of the cookie etc, just take off the httponly part.
E.g. Header always edit Set-Cookie ^(foobar=.*)$ $1 (doesn't work)
Try this:
Header edit Set-Cookie ^((?!foobar=).*)$ $1;HttpOnly;Secure