* Allow Cookie option to set secure and HttpOnly flags

PR: 44799
Submitted by: Christian Wenz <christian wenz.org>
Reviewed by: rpluem



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@647395 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 7 insertions, 3 deletions

diff --git a/docs/manual/mod/mod_rewrite.xml b/docs/manual/mod/mod_rewrite.xml
index c68253f4a5..eb9af09601 100644
--- a/docs/manual/mod/mod_rewrite.xml
+++ b/docs/manual/mod/mod_rewrite.xml
@@ -1251,14 +1251,18 @@ cannot use <code>$N</code> in the substitution string!
         when you let an external redirect happen (where the
         ``<code>.www</code>'' part should not occur!).</dd>
 
-        <dt>'<code>cookie|CO=</code><em>NAME</em>:<em>VAL</em>:<em>domain</em>[:<em>lifetime</em>[:<em>path</em>]]'
+        <dt>'<code>cookie|CO=</code><em>NAME</em>:<em>VAL</em>:<em>domain</em>[:<em>lifetime</em>[:<em>path</em>[:<em>secure</em>[:<em>httponly</em>]]]]'
         (set cookie)</dt><dd>
         This sets a cookie in the client's browser.  The cookie's name
         is specified by <em>NAME</em> and the value is
         <em>VAL</em>. The <em>domain</em> field is the domain of the
         cookie, such as '.apache.org', the optional <em>lifetime</em>
-	is the lifetime of the cookie in minutes, and the optional 
-	<em>path</em> is the path of the cookie</dd>
+        is the lifetime of the cookie in minutes, and the optional 
+        <em>path</em> is the path of the cookie. If <em>secure</em>
+        is set to 'true' or '1', the cookie is only transmitted via secured
+        connections. If <em>httponly</em> is set to any string, the
+        <code>HttpOnly</code> flag is used, making the cookie not accessible
+        to JavaScript code on browsers that support this feature.</dd>
 
         <dt>
         '<code>env|E=</code><em>VAR</em>:<em>VAL</em>'