Set Cookie - Secure JSESSIONID

[yusuf rifqi]

Hi, can anyone help?

 

i need to secure cookie JSESSIONID of a website. I already following this documentation https://support.citrix.com/article/CTX138055?_ga=2.70706136.930864797.1589765246-915864116.1573976921

but it's not working as expected. (still not Secure)

 

Here is my config & result.

is there anything missing / wrong on my config?

Thanks.

 

 

 

 

 

[Ross Bender]

Could you share what resolved response header is returned (from client's perspective) ?

[Grega Zoubek]

Also, do you see any policy hits on your rw policy?

[yusuf rifqi]

8 hours ago, Grega Zoubek said:

Also, do you see any policy hits on your rw policy?

 

yes, I see the policy hits when the web page is visited or refreshed.

 

Is there any possibility that this policy is not working because the path is "/scmt_web" (as can be seen from this picture below)

while in the Rewrite policy and action created the path is only "/" ?

If yes, how to write the correct expression or regex on Rewrite Action Policy?

If no, do you know what's wrong?

 

Thank You.

[yusuf rifqi]

13 hours ago, Ross Bender said:

Could you share what resolved response header is returned (from client's perspective) ?

Hi, Sure.

 

Response Header

 

and Request Header

 

I hope there is a solution according to this.

 

Thank You.

 

 

[Rhonda Rowland1709152125]

Is the rewrite policy bound to the lb vserver and is the vserver configured for SSL?

Is the policy bound to the response time bind point?

If more than one rewrite policy is bound (globally or at the vserver-level), did you set the policy binding's GoTo expression on earlier policies to NEXT instead of END to make sure multiple policy matches can occur.

 

Since we can't see the entirety of the refine search field, I think you need to change it to:

re!(path=/scmt_web/\;   

And include the trailing slash in the path reference in both instances.

Use a show ns runningconfig | grep <rewrite policy/action name>

next time to get the actual commands to create the policy instead of the screenshots for better troubleshooting.

 

I would configure a log action in the policy so you can track if/when the policy is hit to assist in debugging; if no policy hit, then we know where to start troubleshooting.  Don't forget you must also enable "user configurable messages" in the global syslog parameter for these log actions to be logged.

 

 

 

[yusuf rifqi]

9 hours ago, Rhonda Rowland1709152125 said:

Is the rewrite policy bound to the lb vserver and is the vserver configured for SSL?

Is the policy bound to the response time bind point?

If more than one rewrite policy is bound (globally or at the vserver-level), did you set the policy binding's GoTo expression on earlier policies to NEXT instead of END to make sure multiple policy matches can occur.

 

Since we can't see the entirety of the refine search field, I think you need to change it to:

re!(path=/scmt_web/\;   

And include the trailing slash in the path reference in both instances.

Use a show ns runningconfig | grep <rewrite policy/action name>

next time to get the actual commands to create the policy instead of the screenshots for better troubleshooting.

 

I would configure a log action in the policy so you can track if/when the policy is hit to assist in debugging; if no policy hit, then we know where to start troubleshooting.  Don't forget you must also enable "user configurable messages" in the global syslog parameter for these log actions to be logged.

 

 

 

Hi, as your question;

 

Yes, the policy is bound to SSL Virtual Server

no, there isn't any rewrite policy in that Vserver except this one.

 

This is the refine search field (I create base on https://support.citrix.com/article/CTX138055) : 

re!(path=/\; Secure; HttpOnly)|(path=/\; Secure)|(path=/\; HttpOnly)|(path=/)!

 

Should I change it into like this one: ?

re!(path=/scmt_web/\; Secure; HttpOnly)|(path=/scmt_web/\; Secure)|(path=/scmt_web/\; HttpOnly)|(path=/scmt_web/)!

 

Together with this Expression : ?

"Secure; HttpOnly; path=/scmt_web/"

 

Thanks for your attention.

[yusuf rifqi]

Hi Everyone, I got an answer for this case,

 

After doing a troubleshooting and testing in my lab, I found that the problem was in case sensitive writing.

I found that for Expressions and Regex ("path: /") it had to be written in capital letters ("Path: /").

I didn't know why this was, but it is working. Maybe anyone can explain?

note: I also tried something else, and found out if the cookies are PHP (PHPSESSID), then the prefix must be small ("path: /")

 

Hope this is useful, and correct me if I'm wrong.

Thank You.

[Sibgat UL Hassan1709163357]

it all depends on what value of cookie is NetScaler receiving from backend server. regex is case sensitive And regular expression (regex) will fail if the case doesn’t match.

Everything depends on cookie value which is receiving from the backend server. The regex is case-sensitive, meaning the regular expression (regex) will not succeed if the case doesn't match.

Initially, check the cookie value received from the backend, and set the regex value accordingly. If there is a URL in the path, ensure that it is also specified in both the regex and the expression.