Jump to content
Welcome to our new Citrix community!
  • Program your cookies with NetScaler ADC

    Guest Sara Austin
    • Validation Status: Validated
      Has Video?: No

    Program your cookies with NetScaler ADC

    Submitted April 15, 2021

    Author: Raghav SN


    Cookies are an indispensable part of any web app, and hardening them is critical to securing apps against vulnerabilities. Every web app includes unique cookie attributes based on feature requirements and the client profile, so you can’t take a one-size-fits-all approach to formatting cookies. Now, with our most recent NetScaler ADC release, you can program ADC-generated cookies to align with your app’s security requirements.

    Certain apps store information about user sessions locally on an instance that is used when the user reconnects, for example, a shopping cart in an e-commerce application. This would require going back to the same application instance every time the user accesses the application. To achieve this stickiness, NetScaler ADC inserts its own cookies, which should share the same security policies as the back-end cookie.

    I covered securing back-end cookies in a recent blog post. You want to have the same level of programmability for ADC-generated cookies so you can achieve stickiness to the back end, as well as the required protection against vulnerabilities. The Chrome update for the ‘SameSite’ cookie attribute has necessitated this programmability for ADC-generated cookies mainly to enable legitimate cross-site access to apps and to ensure app access isn’t broken with Chrome updates.

    You can leverage NetScaler ADC’s rewrite policy infrastructure and variables to achieve programmability for ADC-generated cookies. Using the rewrite policies, the app owner can dictate the conditions for including a cookie attribute and, using ‘Variable’, can dictate the value of cookie attributes. While inserting the ADC cookies, ‘Variable’ will be sourced to append the required cookie attributes. In this blog post, I’ll cover enabling cross-site access for ADC-generated cookies.

    Enabling Cross-Site Access for NetScaler ADC Cookies

    Let’s look at the ‘Samesite’ attribute for ADC-generated cookies. You can extend the below to other cookie attributes that might get added later into the HTTP specification. You can define the required cookie attribute(s) in the load balancer profile as shown here:

    add lb profile webapp_profile -LiteralADCCookieAttribute “;SameSite=None; secure”set lb vserver <LB vserver name> -lbprofilename webapp_profile

    The configured cookie attribute will be appended to all ADC-generated cookies in responses forwarded to the client in cases of:

    If you’re required to add the SameSite cookie attribute above for all the apps front-ended by the NetScaler ADC, you can set the ADC cookie attribute in the global load balancer parameters as follows:

    set lb parameter -LiteralADCCookieAttribute “;SameSite=None; secure”

    If the requirement is a conditional insertion of cookie attributes, then you must define a policy ‘Variable’ for carrying the cookie attribute and associate it with the rewrite policy with the required condition(s).

    For example, if the requirement is to not insert the SameSite cookie attribute only if the client request is coming from an incompatible browser version (for example, a Chrome version between 51 and 66), use the following:

    add ns variable cookie_attribute -type TEXT(100) -scope transactionadd lb profile webapp_profile -ComputedADCCookieAttribute “$cookie_attribute”set lb vserver <LB vserver name> -lbprofilename webapp_profileadd ns assignment null_assignment -variable $cookie_attribute -set “”add policy expression exp_chrome “(HTTP.REQ.HEADER(\”User-Agent\”).CONTAINS(\”Chrom\”) && HTTP.REQ.HEADER(\”User-Agent\”).REGEX_SELECT(re/Chrom.*\\d+./).REGEX_SELECT(re/\\d+/).TYPECAST_NUM_T(DECIMAL).BETWEEN(51,66))”add rewrite policy exception_list “exp_chrome” null_assignmentadd ns assignment cookie_assignment -variable $cookie_attribute -set “\”SameSite=None; secure\“”add rewrite policy append_samesite true cookie_assignment​

    Please note, if both LiteralADCCookieAttribute and ComputedADCCookieAttribute are configured, ComputedADCCookieAttribute takes precedence.

    Bind the above HTTP rewrite polices to the load balancing virtual server (LB vserver) front-ending your application.

    bind lb vserver <LB vserver name > -policyName exception_list -priority 10 -gotoPriorityExpression END -type RESPONSEbind lb vserver <LB vserver name > -policyName append_samesite_cookie -priority 20 -gotoPriorityExpression next -type RESPONSE

    If all apps front-ended by the NetScaler ADC have the same requirement to secure the ADC-generated cookies, you can bind the above rewrite policies to the global http response override bind point. This would enable you to avoid making the above changes for each of the application-specific LB vserver

    bind rewrite global exception_list 10 END -type RES_OVERRIDEbind rewrite global append_samesite_cookie 20 NEXT -type RES_OVERRIDE

    Please note, when binding policies to an LB vserver or a global override bind point, make sure the goto priority expression parameter in the ‘bind’ command is set to ‘NEXT’ or to the next higher priority policy in the list that needs to be executed. This would enable other existing rewrite policies to be evaluated, along with the new SameSite related policies.

    Enhancing ADC Cookie Security

    To protect ADC-generated cookies from cross site scripting (XSS) attacks, we recommend adding the ‘httponly’ attribute, as shown below (in addition to the cookie attributes covered above). You should also encrypt your ADC-generated cookies to make them opaque to attackers.

    set lb profile webapp_profile -httponlycookieflag enabled – useEncryptedPersistenceCookie enabled

    Learn More

    The ability to program protocol specifications, like cookies, to tailor a NetScaler ADC configuration to meet your application needs is powerful. Learn more about NetScaler ADC’s cookie-protection features and NetScaler ADC policy infrastructure.

    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...