Protecting against cookie poisoning and other cookie-based attacks
A cookie security policy allows you to configure FortiWeb features that prevent cookie-based attacks and apply them in a protection profile. For example, a policy can enable cookie poisoning detection, encrypt the cookies issued by a back-end server, and add security attributes to cookies.
|When you first introduce some of the cookie security features, cookies that client browsers have cached earlier can generate false positives. To avoid this problem, use the Allow Suspicious Cookies setting to either take no action against violations of the cookie security features or delay taking action until a specific date.|
To configure cookie security
- Go to Web Protection > Cookie Security.
- Click Create New and configure these settings:
- None—FortiWeb does not apply cookie tampering protection or encrypt cookie values.
Signed—Prevents tampering (cookie poisoning) by tracking the cookie value. This option requires you to enable Session Management in the protection policy and the client to support cookies.
When FortiWeb receives the first HTTP or HTTPS request from a client, it uses a cookie to track the session. When you select this option, the session-tracking cookie includes a hash value that FortiWeb uses to detect tampering with the cookie from the back-end server response. If FortiWeb determines the cookie from the client has changed, it takes the specified action.
- Encrypted—Encrypts cookie values the back-end web server sends to clients. Clients see only encrypted cookies. FortiWeb decrypts cookies submitted by clients before it sends them to the back-end server. No back-end server configuration changes are required.
- When Security Mode is Encrypted, suspicious cookies are cookies for which FortiWeb does not have a corresponding encrypted cookie value.
- When Cookie Replay is IP, the suspicious cookie is a missing cookie that tracks the client IP address.
- Never—FortiWeb does not take the action specified by Action against suspicious cookies.
- Always—FortiWeb always takes the specified action against suspicious cookies.
- Custom—FortiWeb takes the specified action against suspicious cookies starting on the date specified by Don't Block Until.
Alert—Accept the request and generate an alert email, log message, or both.
Alert & Deny—Block the request and generate an alert, log message, or both.
Deny (no log)—Block the request (or reset the connection).
Remove Cookie—Accept the request, but remove the cookie from the datagram before it reaches the web server, and generate an alert message, log message, or both.
Period Block—Block requests for the number of seconds specified by Block Period. For details, see Monitoring currently blocked IPs.
- Click OK.
- If you want to specify cookies that are exempt from the cookie security policy, under the Cookie Exceptions Table, click Create New and configure these settings:
- To apply the cookie security policy, select it in an inline protection profile. For details, see Configuring a protection profile for inline topologies.
If Security Mode is Signed, ensure that Session Management is enabled for the profile.
|Name||Enter a name that identifies the policy when you select it in a protection profile.|
Optionally, select whether FortiWeb uses the IP address of a request to determine the owner of the cookie.
Note: This is available only when Security Mode is configured as Encrypted.
|Allow Suspicious Cookies||
Select whether FortiWeb allows requests that contain cookies that it does not recognize or that are missing cookies.
In many cases, when you first introduce the cookie security features, cookies that client browsers have cached earlier generate false positives. To avoid this problem, either select Never, or select Custom and enter an appropriate date on which to start taking the specified action against suspicious cookies.
This feature is not available if Security Mode is None.
|Don't Block Until||If Allow Suspicious Cookies is Custom, enter the date on which FortiWeb starts to take the specified action against suspicious cookies.|
|Cookie Security Attributes|
|Cookie Max Age||Enter the maximum age (in minutes) permitted for cookies that do not have an “Expires” or “Max-Age” attribute.
To configure no expiry age for cookies, enter
|Secure Cookie||Enable to add the secure flag to cookies, which forces browsers to return the cookie only when the request is for an HTTPS page.|
Enable to add the "HTTP Only" flag to cookies, which prevents client-side scripts from accessing the cookie.
For cookie security features that trigger an action, select the action that FortiWeb takes:
Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see Defining your proxies, clients, & X-headers.
|Block Period||When Action is Period Block, the number of seconds that FortiWeb blocks requests that have violated cookie security features.|
Select the severity level FortiWeb uses when it logs a violation of a cookie security feature:
The default value is High.
|Trigger Policy||Select the trigger policy FortiWeb uses when it logs a violation of a cookie security feature.|
|Cookie Name||Enter the name of the cookie, such as
Optionally, enter the partial or complete domain name or IP address as it appears in the cookie. For example:
If clients sometimes access the back-end server via IP address instead of DNS, create exemption items for both.
|Cookie Path||Optionally, enter the path as it appears in the cookie, such as