origin-cookie-redirect might go into a loop with Mozilla Firefox and Google Chrome for certain domains because these browsers reject cookies set by the ProxySG

Article Id: 167754
Status: Published
Updated On: 13-05-2017 10:45
Legacy Id: TECH243674
Products:
ProxySG Software - SGOS
Issue/Introduction:

origin-cookie-redirect might go into a loop with Mozilla Firefox and Google Chrome for certain Third Level Domains because these browsers reject cookies set by the ProxySG.

The list of affected TLDs can be found at http://mxr.mozilla.org/mozilla-central/source/netwerk/dns/effective_tld_names.dat?raw=1 (currently redirects to https://publicsuffix.org/list/effective_tld_names.dat)

For example :

No.     Time     Source                Destination           SrcPort DstPort Protocol Info
      3 0.025    10.10.10.103          10.10.10.10           1605    8080    HTTP     GET http://www.wa.gov.au/ HTTP/1.1
      6 0.028    10.10.10.10           10.10.10.103          8080    1605    HTTP     HTTP/1.1 302 Found  (text/html)
     14 0.089    10.10.10.103          10.10.10.10           1606    8080    HTTP     GET http://sg200/?cfru=aHR0cDovL3d3dy53YS5nb3YuYXUv HTTP/1.1
     15 0.090    10.10.10.10           10.10.10.103          8080    1606    HTTP     HTTP/1.1 401 Unauthorized  (text/html)
     23 2.693    10.10.10.103          10.10.10.10           1607    8080    HTTP     GET http://sg200/?cfru=aHR0cDovL3d3dy53YS5nb3YuYXUv HTTP/1.1
     24 2.696    10.10.10.10           10.10.10.103          8080    1607    HTTP     HTTP/1.1 302 Found  (text/html)
     34 2.757    10.10.10.103          10.10.10.10           1608    8080    HTTP     GET http://www.wa.gov.au/?bcsi-ac-658A3E38FE4774A7=204B2C8B00000002+tUkM73uKrkJjG7S0q/jw+YSa5QCAAAAAgAAAIXGDQCEAwAAAAAAAAEAAAA= HTTP/1.1
     36 2.759    10.10.10.10           10.10.10.103          8080    1608    HTTP     HTTP/1.1 302 Found  (text/html)
     43 2.832    10.10.10.103          10.10.10.10           1609    8080    HTTP     GET http://www.wa.gov.au/ HTTP/1.1
     44 2.832    10.10.10.10           10.10.10.103          8080    1609    HTTP     HTTP/1.1 302 Found  (text/html)

Frame #34 :
GET http://www.wa.gov.au/?bcsi-ac-658A3E38FE4774A7=204B2C8B00000002+tUkM73uKrkJjG7S0q/jw+YSa5QCAAAAAgAAAIXGDQCEAwAAAAAAAAEAAAA= HTTP/1.1
Host: www.wa.gov.au
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.7,zh-hk;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

Frame #36 :
HTTP/1.1 302 Found
Location: http://www.wa.gov.au/
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="NON ADM OUR STP COM"
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Set-Cookie: BCSI-AC-658A3E38FE4774A7=204B2C8B00000002+tUkM73uKrkJjG7S0q/jw+YSa5QCAAAAAgAAAIXGDQCEAwAAAAAAAAEAAAA=; Path=/; Domain=.wa.gov.au    <<<<<
Connection: close
Content-Length: 634

Frame #43 (no BCSI-AC-* cookie) :
GET http://www.wa.gov.au/ HTTP/1.1
Host: www.wa.gov.au
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.7,zh-hk;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
 

Resolution:

This has been addressed by B#198772 in SG 6.5.4.1.

SG 6.4.x and earlier SGOS versions are still affected by this.

 

Workaround

1. Use Internet Explorer to access the list of affected domains.

2. Use origin-ip-redirect for the list of affected domains.