Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Configure the Domain cookie attribute which instructs web browsers to only send the cookie to the specified domain and all subdomains

Hi,

Can we configure the "Domain" Cookie via ASM or iRule ? This is a PCI security requirement that we have to impose.

We just need a Domain attribute in the session cookie. Currently since domain attribute is not set, by default the cookie will only be sent to the origin server. This can allow an attacker to launch attacks on the session IDs between different hosts and web applications belonging to the same domain.

Please advice.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Basically, this is what we are using (though we also have an iRule that intercepts logoff pages to ensure removal of these cookies too). I think we set a variable in access policy completed to check here and do this so you don't have it adding every time, just when the policy completes and the user is logged in.

when HTTP_RESPONSE_RELEASE {
    # Might could use HTTP_RESPONSE instead of HTTP_RESPONSE_RELEASE

    set sid [ACCESS::session sid]
    set domaininfo ".[domain [HTTP::host] 2]"
    # Domain needs the prefixed "."

    HTTP::cookie insert name "MRHSession" value $sid path "/" domain $domain
    HTTP::cookie insert name "LastMRH_Session" value [substr $sid [expr [string length $sid] - 8]] path "/" domain $domain
}
0
Comments on this Answer
Comment made 21-Jan-2015 by Moinul Rony 113
Awesome, Thanks for the hint... I had just implemented the domain cookie. Many thanks. About the prefixed "." whats the reason behind ?
0
Comment made 21-Jan-2015 by Michael Jenkins 4171
I think it's necessary for the subdomains to get the cookie.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

In our environment, we use a few subdomains (xyz.example.com, or abc.example.com) and with an iRule have added additional set-cookie headers when the access policy is started to add the session id cookies and specify the domain (domain.com). With this, we get the cookie on that domain as well as any subdomains. Hope this helps (and that I understood your question right).

0
Comments on this Answer
Comment made 21-Jan-2015 by Moinul Rony 113
Thanks Michael J, Would you be able to share the skeleton of the iRule? That would be really appreciated.
0