How to remove a cookie in Apache

Question

I need to remove a cookie from the HTTP request that gets to the server. Doing it on the client (that writes this cookie) or on the server (that reads it) is not an option.

Answer 1

I use this to unset all cookies (good to serve static content)

Header unset Cookie
Header unset Set-Cookie

Answer 2

You can manage specific cookies using following statements in apache reverse proxy configurations:

To remove any specific cookie you can use:
'Header add Set-Cookie "ANY_COOKIE='';expires='SOME_DATE_IN_PAST'; Max-Age=0; Path=COOKIE_PATH"'

By specifying past date, you tell the browser that the cookie has expired and browser will discard the cookie.

To add any cookie you can use:
'Header add Set-Cookie "ANY_COOKIE='ANY_VALUE';expires='SOME_FUTURE_DATE'; Path=COOKIE_PATH"'

Be sure that you specify the some future date. If you do not specify any date, the cookie will be treated as session cookie.

Try using the following to remove specific cookie from request:

'RequestHeader add Cookie "ANY_COOKIE='';expires='SOME_PAST_DATE'; Path=COOKIE_PATH"'

Answer 3

Apache mod_rewrite allows manipulation of URLs but not of HTTP headers, however 'mod_headers' will let you do that.

So, you could use:

RequestHeader unset Cookie

This will strip all cookies from the request. I'm not sure if its possible to remove just a particular cookie using this technique.

Alternatively, you can stop cookies being passed back to the client using:

Header unset Set-Cookie

if that's more appropriate.

Answer 4

With Apache > 2.2.4, you could have used :

RequestHeader edit Cookie "^(.*?)ANY_COOKIE=.*?;(.*)$" $1$2