Cookie Validation

[Anukool mehta]

Hi,

 

Our WAF Logs are showing this error message

 

default APPFW APPFW_COOKIE 801185 0 : 10.125.35.23 380966-PPE3 iBIxLBPY9SK20spDhnfeocCznkk0002 APPFW_XYZ_Block https://www.xyz.com/ Cookie validation failed for Locale <blocked>

 

Can you please help me understand the reason this cookie validation and the subsequent flow is being blocked

Also can you please tell me how I can put in a relaxation rue for this?

 

 

THanks

 

 

[Rhonda Rowland1709152125]

Cookie Consistency check (block-mode; not transform mode); performs a cookie signing validation.

When the previous response sets a cookies (from the web server), the cookie is tracked by the ADC. First a citrix_ns_id sessionization cookie is created and then a persistent cookie is set by the ADC WAF in addition to the original application's persistent cookie(s) or a session cookie is set by the ADC WAF in addition to the original application's session cookies.

 

During the subsequent request, if a application cookie is presented to the ADC that was either 1) not sighed by the WAF or 2) was modified client side and therefore doesn't match the tracking cookie, that cookie is in violation.

The BLOCK action strips the cookie from the request from ADC to server.  It does not stop the request from going through. But with the cookie, the app may not work right.  The block will be logged; but it doesn't stop the request like other request time block protections.

 

So a cookie consistency violation usually indicates that 1) the protection was turned on AFTER cookies were set client side, so you have a lot of existing cookies being presented to the ADC that weren't signed/tracked and therefore they look like a violation.  To fix: clear client cookies before turning on this feature (which can be a bigger issue than you expect).  2) the cookie was tracked/signed by the WAF properly, but the application does in fact use client-side scripts to modify the cookie instead of sending the cookie to the server to be modified allowing the update to be tracked by WAF on the following response.  If this is the case, the Cookie Consistency check can be disabled OR that particular cookie can be exempted.

 

https://support.citrix.com/article/CTX131488 -  Modifications to requests/response made by appfw (includes cookie protection)

https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/top-level-protections/cookie-consistency-check.html - admin guide section

 

Cookie transform is different style of protections. But in general, before turning either one off, you need to clear or expire existing cookies so the new cookies are properly protected.