ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

What is the HTTP header BCSI-CS cookie set by ProxySG and ASG?

book

Article ID: 200712

calendar_today

Updated On:

Products

ProxySG Software - SGOS Advanced Secure Gateway Software - ASG

Issue/Introduction

The ProxySG or Advanced Secure Gateway (ASG) will set a cookie in the form "BCSI-CS-XXXXXXXXXX".

Resolution

The ProxySG and the ASG use this cookie to determine the authentication disposition of a client. The CS in the header stands for "Challenge State".

 

If the ProxySG or the ASG requires authentication and an upstream proxy or webserver also requires authentication the ProxySG or ASG needs some way to know if the client credentials are meant for it or for an upstream server. If an upstream server challenges for credentials, then the ProxySG sets the BCSI-CS cookie so that it knows it should forward the credentials upstream. 

 

If the ProxySG or ASG isn't sure what to do with the credentials (i.e. when there are credentials in a request without a BCSI-CS cookie), then the ProxySG or ASG won't forward credentials upstream. This is to avoid leaking enterprise credentials to an external server in most cases. Leaking credentials would be a serious security risk, especially when Basic credentials were used.