Anonymous_User Absent Member.
Absent Member.
766 views

Set request cookies to Secure and httponly


Hi,

I am using AG 3.2 SP2 IR2 version. Requirement is to set request cookies
(i.e JSESSIONID,.. etc) secure and httponly.
I am able to mark these cookies secure and httponly in response but
unable to do that in request.
scenario is:
open fresh browser : when first request comes there is no request
cookies.
when second request comes there are multiple cookies (i.e. JSESSIONID,
ZNPC...,IPCZ..) in request and none of secured and httponly. Now here i
wanted to make them secure and httponly when second request comes in.

but when response comes for the request these cookies marked as secured
and httponly.

I tried multiple options:
1.To enable this option:In the Administration Console, click
Devices>Access Gateways>Edit>Reverse Proxy /Authentication
Enable the Force HTTP-Only Cookies option, then click OK
Update the Access Gateway

2. In the Administration Console, click Devices>Access
Gateways>Edit>Reverse Proxy /Authentication
Enable Secure Cookies and Httponly.

3.
Add the following parameters in web.xml after the ldapLoadThreshold
context param :
<context-param>
<param-name>secureClusterCookie</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>httponlyClusterCookie</param-name>
<param-value>true</param-value>
</context-param>

To set the cluster cookies in ESP, you must add the following parameter
in the NESP web.xml and restart Tomcat:
Add the following parameters in the web.xml below the ldapLoadThreshold
context param :
<context-param>
<param-name>httponlyClusterCookie</param-name>
<param-value>true</param-value>
</context-param>


But nothing worked for me.

Please suggest where can we create secure request cookies or not in
NAM.

Thanks,
Vaibhav


--
vaibhavkhare
------------------------------------------------------------------------
vaibhavkhare's Profile: https://forums.netiq.com/member.php?userid=5266
View this thread: https://forums.netiq.com/showthread.php?t=52188

0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Set request cookies to Secure and httponly

vaibhavkhare wrote:

>
> Hi,
>
> I am using AG 3.2 SP2 IR2 version. Requirement is to set request
> cookies (i.e JSESSIONID,.. etc) secure and httponly.
> I am able to mark these cookies secure and httponly in response but
> unable to do that in request.
> scenario is:
> open fresh browser : when first request comes there is no request
> cookies.
> when second request comes there are multiple cookies (i.e. JSESSIONID,
> ZNPC...,IPCZ..) in request and none of secured and httponly. Now here
> i wanted to make them secure and httponly when second request comes
> in.


Any chance you can provide a fiddler trace or post (feel free to
private message me) to the URL of your protected resource so I can find
out what you mean.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set request cookies to Secure and httponly

Hi Vaibhav

The "ZNPC" cookie is used by the load balancing code (Apache
mod_balancer) running on the Access Gateway for session stickiness. There
is no option to set it to secure. If you have just one web server
protected by a given proxy server this is in fact not needed at all and
can be switched off by disabling the Session Stickiness option.

Regards

Klaus

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set request cookies to Secure and httponly


Thanks Klaus,

What about JSESSIONID? should be secure and httponly as we have
configured in Access Gateway.

Regards,
Vaibhav


Klaus Gast;251219 Wrote:
> Hi Vaibhav
>
> The "ZNPC" cookie is used by the load balancing code (Apache
> mod_balancer) running on the Access Gateway for session stickiness.
> There
> is no option to set it to secure. If you have just one web server
> protected by a given proxy server this is in fact not needed at all and
> can be switched off by disabling the Session Stickiness option.
>
> Regards
>
> Klaus



--
vaibhavkhare
------------------------------------------------------------------------
vaibhavkhare's Profile: https://forums.netiq.com/member.php?userid=5266
View this thread: https://forums.netiq.com/showthread.php?t=52188

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set request cookies to Secure and httponly

vaibhavkhare wrote:

>
> Thanks Klaus,
>
> What about JSESSIONID? should be secure and httponly as we have
> configured in Access Gateway.


It should be. You sure you didn't make any typos?


--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set request cookies to Secure and httponly


Thanks.

No, in option 1 and 2 there is UI flags to set so no way for typo. In
option 3 i have provided below details and seems correct.

3.
Add the following parameters in web.xml after the ldapLoadThreshold
context param :
<context-param>
<param-name>secureClusterCookie</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>httponlyClusterCookie</param-name>
<param-value>true</param-value>
</context-param>

To set the cluster cookies in ESP, you must add the following parameter
in the NESP web.xml and restart Tomcat:
Add the following parameters in the web.xml below the ldapLoadThreshold
context param :
<context-param>
<param-name>httponlyClusterCookie</param-name>
<param-value>true</param-value>
</context-param>

Let me again explain my requirement.

Step 1: open new browser
Step 2: Hit any protected URL (This time there is no request cookies as
in new browser and security constraints and creating few response secure
and httponly cookies during processing of req).
Step 3: Without close browser hit an other protected request/URL (say
copy paste url in address bar : This time we have few request cookies
like JSESSIONID, IPCZQ... but none of secured and httponly).
My requirement is to make request cookies secure and httponly as I'm
doing with response cookies.

Hope you got my point.

Thanks,
Vaibhav



edmaa;251311 Wrote:
> vaibhavkhare wrote:
>
> >
> > Thanks Klaus,
> >
> > What about JSESSIONID? should be secure and httponly as we have
> > configured in Access Gateway.

>
> It should be. You sure you didn't make any typos?
>
>
> --
> Cheers,
> Edward



--
vaibhavkhare
------------------------------------------------------------------------
vaibhavkhare's Profile: https://forums.netiq.com/member.php?userid=5266
View this thread: https://forums.netiq.com/showthread.php?t=52188

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Set request cookies to Secure and httponly

vaibhavkhare wrote:

>
> Thanks.
>
> No, in option 1 and 2 there is UI flags to set so no way for typo. In
> option 3 i have provided below details and seems correct.
>
> 3.
> Add the following parameters in web.xml after the ldapLoadThreshold
> context param :
> <context-param>
> <param-name>secureClusterCookie</param-name>
> <param-value>true</param-value>
> </context-param>
> <context-param>
> <param-name>httponlyClusterCookie</param-name>
> <param-value>true</param-value>
> </context-param>
>
> To set the cluster cookies in ESP, you must add the following
> parameter in the NESP web.xml and restart Tomcat:
> Add the following parameters in the web.xml below the
> ldapLoadThreshold context param :
> <context-param>
> <param-name>httponlyClusterCookie</param-name>
> <param-value>true</param-value>
> </context-param>


The above parameters will only set the 'UrnNovellNidpClusterMemberId'
cookie as secure and httpOnly. If you have a single IDP and single ESP
then this cookie won't show up.

When I enabled secure and httpOnly on the MAG the jsessionid, webserver
session cookie (ZNP*) and the session cookie (IPC*) all had the flags
secure and httpOnly set so not sure why this is not working for you.

What you can try is to repush the config. Are you using the appliance
or the service by the way? I tried it with the appliance sp2 (IR2 is no
longer available to download).

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.