Set-Cookie: A=a;domain=.x.com:path=/
Set-Cookie: B=b;HttpOnly
Set-Cookie: C=c;Secure
Cookie: A=a
Cookie: B=b; C=c
define action sign_all
iterate(response.header.Set-Cookie)
iterator.append("$(iterator):rewrite(([^=]*)=([^;]*)(.*),BCSIG_$(1)=$(2:hmac)$(3))))")
end
end
define action sign_all
iterate(response.header.Set-Cookie)
iterator.append("$(iterator:rewrite(([^=]*)=([^;]*)(.*),BCSIG_$(1)=$(2:hmac)$(3)))")
end
end
<Proxy>
server_url.domain=x.com/ action.sign_all(yes)
In the samples above, x.com
is the URL of the application. For example, modify the policy to server_url.domain=bluecoat.com
.
Note: all other code samples will work for SGOS 6.5 and SGOS 6.4
Add policy to delete any cookie that is unsigned.
In this sample policy, all unsigned cookies will be deleted.
define action delete_all_unsigned_cookies
iterate(request.header.Cookie)
; Delete the signature cookies
iterator.prefix="BCSIG_" iterator.delete()
; Delete any cookies without a matching signature cookie
request.header.Cookie.exact=!"$(iterator:rewrite(([^=]*)=(.*),BCSIG_$(1)=$(2:hmac)))" iterator.delete()
end
end
<Proxy>
url.domain=x.com/ action.delete_all_unsigned_cookies(yes)
In the sample above, x.com
is the URL of the application.
If a large number of site URLs need the same signing policy, define a URL condition to simplify policy creation.
Note: You must add policy for each application that has a different url.domain.
Install the policy.
The resulting HTTP response indicates that all cookies have been signed:
Set-Cookie: A=a;domain=.x.com:path=/
Set-Cookie: B=b;HttpOnly
Set-Cookie: C=c;Secure
Set-Cookie: BCSIG_A=signature_code(a);domain=.x.com:path=/
Set-Cookie: BCSIG_B=signature_code(b);HttpOnly
Set-Cookie: BCSIG_C=signature_code(c);Secure
Sign All Cookies with Exceptions
Some applications require cookies to be updated as users interact with the application. These types of applications may not function correctly if the cookies are signed.
Use this policy when most of your cookies must be signed, but a few cookies should remain unsigned. Any unsigned cookies are deleted, but the unsigned cookies specified in the policy remain on the system.
Add policy to sign all cookies except for B and C cookies.
define action sign_all_but_B_and_C
iterate(response.header.Set-Cookie)
iterator.prefix=("B=", "C=")
iterator.append("$(iterator):rewrite(([^=]*)=([^;]*)(.*), BCSIG_$(1)=$(2:hmac)$(3)))")
end
end
<Proxy>
server_url.domain=x.com/ action.sign_all_but_B_and_C(yes)
In the sample above, x.com
is the URL of the application.
Add policy to delete all unsigned cookies except for B and C cookies.
define action delete_all_unsigned_cookies_except_B_or_C
iterate(request.header.Cookie)
; Delete signature cookies
iterator.prefix="BCSIG_" iterator.delete()
; Skip Cookies B and C
iterator.prefix=("B=", "C=")
; Delete any other cookie without a matching signature cookie
request.header.cookie.exact=!"$(iterator:rewrite(([^=*])=(.*),BCSIG_$(1)=$(2:hmac)))" iterator.delete()
end
end
<Proxy>
url.domain=x.com/ action.delete_all_unsigned_cookies_except_B_or_C(yes)
In the sample above, x.com
is the URL of the application.
Update the line iterator.prefix=("B=", "C=")
to specify the cookies that should not be signed and the specific unsigned cookies that should not be deleted. This line should be the same in the signing policy and the deleting policy.
Note: You must add policy for each application that has a different url.domain
.
Install the policy.
The resulting HTTP response indicates that all cookies except B and C have been signed:
Set-Cookie: A=a;domain=.x.com:path=/
Set-Cookie: B=b;HttpOnly,
Set-Cookie: C=c;Secure
Set-Cookie: BCSIG_A=signature_code(a);domain=.x.com:path=/
Future HTTP requests contain the following text, which indicates that all unsigned cookies except cookies B and C have been deleted:
Cookie: A=a
Cookie: B=b
Cookie: C=c
Sign Only Specific Cookies
If your application generates multiple cookies, but only a few contain sensitive data or can access the system, leave the majority of the application cookies unsigned and specify the cookies must be signed. All unsigned cookies are deleted automatically, except for cookies specified in policy.
Add policy to only sign B and C cookies.
define action sign_only_B_and_C
iterate(response.header.Set-Cookie)
iterator.prefix=("B=", "C=") iterator.append("$(iterator):rewrite(([^=]*)=([^;]*)(.*),BCSIG_$(1)=$(2:hmac)$(3)")
end
end
<Proxy>
server_url.domain=x.com/ action.sign_only_B_and_C(yes)
In the example above, x.com
is the URL of the application.
Add policy to delete all unsigned cookies, except for B or C cookies. If the B or C cookie is unsigned, it will not be deleted.
define action delete_all_unsigned_cookies_except_B_or_C
iterate(request.header.Cookie)
; Delete signature cookies
iterator.prefix="BCSIG_" iterator.delete()
; Delete cookie B or C if they don’t have a matching signature cookie
iterator.prefix=("B=", "C=")
request.header.cookie.exact=!"$(iterator:rewrite(([^=*])=(.*),BCSIG_$(1)=$(2:hmac)))" iterator.delete()
end
end
<Proxy>
url.domain=x.com/ action.delete_all_unsigned_cookies_except_B_or_C(yes)
In the example above, x.com
is the URL of the application.
Update the line iterator.prefix=("B=, C=")
to identify the specific cookies to keep if they are unsigned. This line should be the same in the signing and deleting policy.
Note: You must add policy for each application that has a different url.domain
.
Install the policy.
The resulting HTTP response indicates that only cookie C has been signed:
Set-Cookie: A=a;domain=x.com:path=/
Set-Cookie: B=b;HttpOnly
Set-Cookie: C=c;Secure
Set-Cookie: BCSIG_C=signature_code(c);Secure
Future HTTP requests contain the following text, which indicates that cookie B has been deleted because it was unsigned, but cookie C remains on the system:
Cookie: A=a
Cookie: C=c
Task 3: Prevent Cookie Replay Attacks
A cookie replay attack occurs when users with malicious intent use authentication information from cookies to access applications. For added protection, you can write policy to verify and reject cookies that have been replayed.
In policy, add one of the following after the text "$(2":
":concat($(client.address))"
":concat($(user))"
Depending on factors specific to your deployment, such as the number of mobile users and if users are authenticated against the ProxySG appliance (for example, a SAML realm is configured for the appliance), you would specify either the client address or the username as described in the following sections.
Using the Client Address
If users are not authenticated against the ProxySG appliance in your implementation, you can specify the client address to protect against replay attacks. With this policy, the appliance rejects cookies that don’t come from the client IP address to which the cookie is originally issued.
The following policy specifies the client address:
define action delete_all_unsigned_cookies
iterate(request.header.Cookie)
iterator.prefix= "BCSIG_" iterator.delete()
request.header.Cookie.regex=!"$(iterator:rewrite(([^=]*)=(.*),BCSIG_$(1)=$(2:concat($(client.address)):hmac)))" iterator.delete()
end
end
define action sign_all
iterate(response.header.Set-Cookie)
iterator.append("$(iterator):rewrite(([^=]*)=([^;]*)(.*),BCSIG_$(1)=$(2:concat($(client.address)):hmac)$(3))")
end
end
The policy doesn’t prevent replay attacks where the replayed cookie’s address has been forged (spoofed) to match the original cookie’s address.
Important Note About This Policy
The client.address
policy deletes any cookie that doesn’t come from the same IP address to which the original cookie was sent, and is thus inappropriate for mobile users whose IP addresses changes frequently. The policy might also be less effective than intended in Citrix environments, where many users share the same client IP address.
Using the Username
If users authenticate against the ProxySG appliance, you can specify the username to protect against replay attacks. With this policy, the appliance rejects signature cookies whose user credentials don’t match those in the original cookies.
The following policy specifies the username:
define action delete_all_unsigned_cookies
iterate(request.header.Cookie)
iterator.prefix= "BCSIG_" iterator.delete()
request.header.Cookie.regex=!"$(iterator:rewrite(([^=]*)=(.*),BCSIG_$(1)=$(2:concat($(user)):hmac)))" iterator.delete()
end
end
define action sign_all
iterate(response.header.Set-Cookie)
iterator.append("$(iterator):rewrite(([^=]*)=([^;]*)(.*),BCSIG_$(1)=$(2:concat($(user)):hmac)$(3))")
end
end
Important Note About This Policy
If users do not authenticate against the ProxySG appliance, the user name is blank and the appliance evaluates policy as if the
":concat($(user))"
text were omitted. Consider using the policy described in Using the Client Address if users in your deployment do not authenticate against the ProxySG appliance.