Citrix ADC

Use case: How to force Secure and HttpOnly cookie options for websites using the Citrix ADC appliance

The web administrators may force the Secure, or HttpOnly, or both the flags on the Session ID and the authentication cookies that are generated by the web applications. You can modify the Set-cookie headers to include these two options by using an HTTP load balancing virtual server and rewrite policies on a Citrix ADC appliance.

  • HttpOnly - This option on a cookie causes the web browsers to return the cookie using the HTTP or HTTPS protocol only. The non-HTTP methods such as JavaScript document.cookie references cannot access the cookie. This option helps in preventing cookie theft due to cross-site scripting.

    NOTE

    You cannot use the HttpOnly option when a web application requires access to Cookie contents by using a client-side script, such as JavaScript or a client-side Java Applet. You can use the method mentioned in this document to rewrite only the server-generated cookies and not the cookies generated by Citrix ADC appliance. For example, AppFirewall, persistence, VPN session cookies and so on.

  • Secure - This option on a cookie causes the web browsers to return only the cookie value when the transmission is encrypted by SSL. This option can be used to prevent cookie theft through connection eavesdropping.

NOTE

The following procedure is not applicable for VPN virtual servers.

To configure the Citrix ADC appliance to force the Secure and HttpOnly flags for an existing HTTP virtual server by using CLI

  1. Create a rewrite action.

    This example is configured to set both Secure and HttpOnly flags. If either one is missing, modify it as necessary for other combinations.

    add rewrite action act_cookie_Secure replace_all http.RES.full_Header "\"Secure; HttpOnly; path=/\"" -search "regex(re!(path=/\\; Secure; HttpOnly)|(path=/\\; Secure)|(path=/\\; HttpOnly)|(path=/)!)"
    <!--NeedCopy-->
    

    This policy replaces all instances of “path=/”, “path=/; Secure”, “path=/; Secure; HttpOnly” and “path=/; HttpOnly” with “Secure; HttpOnly; path=/”. This regular expression (regex) fails if the case doesn’t match.

  2. Create a rewrite policy to trigger the action.

    add rewrite policy rw_force_secure_cookie "http.RES.HEADER(\"Set-Cookie\").EXISTS" act_cookie_Secure
    <!--NeedCopy-->
    
  3. Bind the rewrite policy to the virtual server to be secured. If Secure option is used, an SSL virtual server must be used.

    bind lb vserver mySSLVServer -policyName rw_force_secure_cookie -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
    <!--NeedCopy-->
    

Examples:

The following example shows the cookie before setting the httpOnly flag

Set-Cookie: CtxsAuthId=C5614491; path=/Citrix/ProdWeb
<!--NeedCopy-->

The following example shows the cookie after setting the httpOnly flag

Set-Cookie: CtxsAuthId=C5614491; Secure; HttpOnly; path=/Citrix/ProdWeb/
<!--NeedCopy-->

To configure the Citrix ADC appliance to force the Secure and HttpOnly flags for an existing HTTP virtual server by using GUI

  1. Navigate to AppExpert > Rewrite > Actions, and click Add to add a new rewrite action.

    Configure rewrite actions

  2. Navigate to AppExpert > Rewrite > Policies, and click Add to add a new rewrite policy.

    Configure rewrite policy

  3. Navigate to Traffic Management > Load Balancing > Virtual Servers, and then bind the rewrite (response) policy to the corresponding SSL virtual server.

    Bind rewrite policy

Use case: How to force Secure and HttpOnly cookie options for websites using the Citrix ADC appliance