Setting SameSite and Other Cookie Attributes using WebSEAL
Contents
Overview
Setting cookie attributes such as HttpOnly, Strict and SameSite help ensure we're more resistent to things such as cross-site scripting (XSS), man-in-the-middle attacks and cross-site request forgery attacks (CSRF). So how can we help protect ourselves from these types of attacks?
Solution
In Verify Access (ISAM), a new stanza was introduced into the WebSEAL configuration file which allows us to easily define attributes such as, Comment, Expires, Max-Age, Domain, Path, Secure, HttpOnly, and SameSite with any matched cookies before they are passed back to the client. This is done after WebSEAL has finished processing the request, which includes any HTTP transformation rules.
Attributes defined in the WebSEAL configuration file will replace any corresponding attribute which may already exist in the cookie.
Below is an example of the syntax used with this stanza:
group-name:Name of grouppattern:A string which matches the user-agent, will be included in the group. The '*' and '?' pattern matching characters can be used.cookie-name-pattern:A string which matches the cookie. The '*' and '?' pattern matching characters can be used.attr:The cookie attribute to be set.
[user-agent-groups]
group-name = pattern
[cookies-attributes]
<cookie-name-pattern> = {[+ | - <group-name> ]}<attr>
You can read more about cookie attributes and what they do here.
Example
Below are some examples:
[user-agent-groups]
unsupported-same-site = *Safari*
[cookies-attributes]
* = Strict=true
* = [-unsupported-same-site]SameSite=None
serverCookie* = Strict=true; HttpOnly=true;
Once applied, you'll see the flags enabled for all cookies that matched the rule.
You'll notice that the PD-H-SESSION-ID, PD_STATEFUL and JSESSIONID cookies all now have the Secure flag set.
Additional Information/Links
Here are some useful links you can checkout for additional information.
