Forum Discussion
AltostratusConfigure the Domain cookie attribute which instructs web browsers to only send the cookie to the specified domain and all subdomains
Hi,
Can we configure the "Domain" Cookie via ASM or iRule ? This is a PCI security requirement that we have to impose.
We just need a Domain attribute in the session cookie. Currently since domain attribute is not set, by default the cookie will only be sent to the origin server. This can allow an attacker to launch attacks on the session IDs between different hosts and web applications belonging to the same domain.
Please advice.
2 Replies
Michael_JenkinsCirrostratus
In our environment, we use a few subdomains (xyz.example.com, or abc.example.com) and with an iRule have added additional set-cookie headers when the access policy is started to add the session id cookies and specify the domain (domain.com). With this, we get the cookie on that domain as well as any subdomains. Hope this helps (and that I understood your question right).
- Michael_Jenkins
Basically, this is what we are using (though we also have an iRule that intercepts logoff pages to ensure removal of these cookies too). I think we set a variable in access policy completed to check here and do this so you don't have it adding every time, just when the policy completes and the user is logged in.
when HTTP_RESPONSE_RELEASE { Might could use HTTP_RESPONSE instead of HTTP_RESPONSE_RELEASE set sid [ACCESS::session sid] set domaininfo ".[domain [HTTP::host] 2]" Domain needs the prefixed "." HTTP::cookie insert name "MRHSession" value $sid path "/" domain $domain HTTP::cookie insert name "LastMRH_Session" value [substr $sid [expr [string length $sid] - 8]] path "/" domain $domain }
