Jump to content
Welcome to our new Citrix community!

Set Cookie - Secure JSESSIONID


yusuf rifqi

Recommended Posts

Hi, can anyone help?

 

i need to secure cookie JSESSIONID of a website. I already following this documentation https://support.citrix.com/article/CTX138055?_ga=2.70706136.930864797.1589765246-915864116.1573976921

but it's not working as expected. (still not Secure)

 

Here is my config & result.

is there anything missing / wrong on my config?

Thanks.

 

image.thumb.png.168777ed1d83cf6c14647c530da23d71.png

 

 

image.thumb.png.60fc4e347e82ed975eb5414d50fbb7d7.png

 

 

image.thumb.png.9e20e5fa5f886d83dec68c33cae43229.png

Link to comment
Share on other sites

8 hours ago, Grega Zoubek said:

Also, do you see any policy hits on your rw policy?

 

yes, I see the policy hits when the web page is visited or refreshed.

 

Is there any possibility that this policy is not working because the path is "/scmt_web" (as can be seen from this picture below)

image.thumb.png.b66a012a4a44ac96b88181a80920d370.png

while in the Rewrite policy and action created the path is only "/" ?

If yes, how to write the correct expression or regex on Rewrite Action Policy?

If no, do you know what's wrong?

 

Thank You.

Link to comment
Share on other sites

13 hours ago, Ross Bender said:

Could you share what resolved response header is returned (from client's perspective) ?

Hi, Sure.

 

Response Header

image.thumb.png.9d53f100fa7cb4097c39d88061652eab.png

 

and Request Header

image.thumb.png.6714216f064cc45cf7694e308ca57f3c.png

 

I hope there is a solution according to this.

 

Thank You.

 

 

Link to comment
Share on other sites

Is the rewrite policy bound to the lb vserver and is the vserver configured for SSL?

Is the policy bound to the response time bind point?

If more than one rewrite policy is bound (globally or at the vserver-level), did you set the policy binding's GoTo expression on earlier policies to NEXT instead of END to make sure multiple policy matches can occur.

 

Since we can't see the entirety of the refine search field, I think you need to change it to:

re!(path=/scmt_web/\;   

And include the trailing slash in the path reference in both instances.

Use a show ns runningconfig | grep <rewrite policy/action name>

next time to get the actual commands to create the policy instead of the screenshots for better troubleshooting.

 

I would configure a log action in the policy so you can track if/when the policy is hit to assist in debugging; if no policy hit, then we know where to start troubleshooting.  Don't forget you must also enable "user configurable messages" in the global syslog parameter for these log actions to be logged.

 

 

 

Link to comment
Share on other sites

9 hours ago, Rhonda Rowland1709152125 said:

Is the rewrite policy bound to the lb vserver and is the vserver configured for SSL?

Is the policy bound to the response time bind point?

If more than one rewrite policy is bound (globally or at the vserver-level), did you set the policy binding's GoTo expression on earlier policies to NEXT instead of END to make sure multiple policy matches can occur.

 

Since we can't see the entirety of the refine search field, I think you need to change it to:

re!(path=/scmt_web/\;   

And include the trailing slash in the path reference in both instances.

Use a show ns runningconfig | grep <rewrite policy/action name>

next time to get the actual commands to create the policy instead of the screenshots for better troubleshooting.

 

I would configure a log action in the policy so you can track if/when the policy is hit to assist in debugging; if no policy hit, then we know where to start troubleshooting.  Don't forget you must also enable "user configurable messages" in the global syslog parameter for these log actions to be logged.

 

 

 

Hi, as your question;

 

Yes, the policy is bound to SSL Virtual Server

no, there isn't any rewrite policy in that Vserver except this one.

 

This is the refine search field (I create base on https://support.citrix.com/article/CTX138055) : 

re!(path=/\; Secure; HttpOnly)|(path=/\; Secure)|(path=/\; HttpOnly)|(path=/)!

 

Should I change it into like this one: ?

re!(path=/scmt_web/\; Secure; HttpOnly)|(path=/scmt_web/\; Secure)|(path=/scmt_web/\; HttpOnly)|(path=/scmt_web/)!

 

Together with this Expression : ?

"Secure; HttpOnly; path=/scmt_web/"

 

Thanks for your attention.

Link to comment
Share on other sites

Hi Everyone, I got an answer for this case,

 

After doing a troubleshooting and testing in my lab, I found that the problem was in case sensitive writing.

I found that for Expressions and Regex ("path: /") it had to be written in capital letters ("Path: /").

I didn't know why this was, but it is working. Maybe anyone can explain?


note: I also tried something else, and found out if the cookies are PHP (PHPSESSID), then the prefix must be small ("path: /")

 

Hope this is useful, and correct me if I'm wrong.

Thank You.

  • Like 1
Link to comment
Share on other sites

  • 3 years later...

it all depends on what value of cookie is NetScaler receiving from backend server. regex is case sensitive And regular expression (regex) will fail if the case doesn’t match.

Everything depends on cookie value which is receiving from the backend server. The regex is case-sensitive, meaning the regular expression (regex) will not succeed if the case doesn't match.


Initially, check the cookie value received from the backend, and set the regex value accordingly. If there is a URL in the path, ensure that it is also specified in both the regex and the expression.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...