Many older web applications do not apply headers/tags that are now considered standard information security practices. For example: Pragma: no-cache Cache-Control: no-cache httpOnly and secure flags Adding these controls can be achieved using ModSecurity without any needs to modify the application code. In the case where I needed to modify the cookie headers to include these now controls I added the following to core rule set file: modsecurity_crs_16_session_hijacking.conf.
# This rule will identify the outbound Set-Cookie SessionID data and capture it in a setsid
Header edit Set-Cookie "(?i)^(JSESSIONID=(?:(?!httponly).)+)$" "$1; httpOnly"
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "0"
This.. Read More