search cancel

Session cookies ending in an equal sign (=) are truncated by the API Gateway

book

Article ID: 42587

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

HTTP cookies are used by the CA API Gateway for state management and persistence. HTTP cookies are documented in RFC 6265. Cookies delivered by some platforms may not meet the RFC as strictly as necessary. Some cookies--such as the SMSESSION cookie--may contain an equal sign (=) in the cookie that is not encapsulated properly. The Apache Tomcat server used by the API Gateway will truncate HTTP cookies containing an equal sign that is not encapsulated in double quotes. Section 8 of RFC 6265 specifies the appropriate syntax of HTTP cookies and including an equal sign within an unencapsulated string is not compliant with the specification. The Apache Tomcat application can be reconfigured to accommodate for non-compliant cookies.

Environment

Release:
Component: APIGTW

Cause

An HTTP cookie may be truncated before being transmitted to an HTTP endpoint. For example, the following cookie may be truncated by the API Gateway and show the resulting cookie:


BeforeMyCookie=base_domain=.test.com;
After: MyCookie=base_domain

Resolution


  1. Log in to the API Gateway appliance and access the privileged shell (root).
  2. Open the system properties configuration file in a text editor: vi /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
  3. Append the following directive to the file: org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE=true
  4. Save the file and exit the text editor.
  5. Restart the API Gateway appliance.