Cookies are an indispensable part of any web app, and hardening them is critical to securing apps against vulnerabilities. Every web app includes unique cookie attributes based on feature requirements and the client profile, so you can’t take a one-size-fits-all approach to formatting cookies. Now, with our most recent Citrix ADC release, you can program ADC-generated cookies to align with your app’s security requirements.

Certain apps store information about user sessions locally on an instance that is used when the user reconnects, for example, a shopping cart in an e-commerce application. This would require going back to the same application instance every time the user accesses the application. To achieve this stickiness, Citrix ADC inserts its own cookies, which should share the same security policies as the back-end cookie.

I covered securing back-end cookies in a recent blog post. You want to have the same level of programmability for ADC-generated cookies so you can achieve stickiness to the back end, as well as the required protection against vulnerabilities. The Chrome update for the ‘SameSite’ cookie attribute has necessitated this programmability for ADC-generated cookies mainly to enable legitimate cross-site access to apps and to ensure app access isn’t broken with Chrome updates.

You can leverage Citrix ADC’s rewrite policy infrastructure and variables to achieve programmability for ADC-generated cookies. Using the rewrite policies, the app owner can dictate the conditions for including a cookie attribute and, using ‘Variable’, can dictate the value of cookie attributes. While inserting the ADC cookies, ‘Variable’ will be sourced to append the required cookie attributes. In this blog post, I’ll cover enabling cross site access for ADC-generated cookies.

Enabling Cross-Site Access for Citrix ADC Cookies

Let’s look at the ‘Samesite’ attribute for ADC-generated cookies. You can extend the below to other cookie attributes that might get added later into the HTTP specification. You can define the required cookie attribute(s) in the load balancer profile as shown here:

add lb profile webapp_profile -LiteralADCCookieAttribute “;SameSite=None; secure”

set lb vserver <LB vserver name> -lbprofilename webapp_profile

The configured cookie attribute will be appended to all ADC-generated cookies in responses forwarded to the client in cases of:

If you’re required to add the SameSite cookie attribute above for all the apps front-ended by the Citrix ADC, you can set the ADC cookie attribute in the global load balancer parameters as follows:

set lb parameter -LiteralADCCookieAttribute “;SameSite=None; secure”

If the requirement is a conditional insertion of cookie attributes, then you must define a policy ‘Variable’ for carrying the cookie attribute and associate it with the rewrite policy with the required condition(s).

For example, if the requirement is to not insert the SameSite cookie attribute only if the client request is coming from an incompatible browser version (for example, a Chrome version between 51 and 66), use the following:

add ns variable cookie_attribute -type TEXT(100) -scope transaction

add lb profile webapp_profile -ComputedADCCookieAttribute “$cookie_attribute”

set lb vserver <LB vserver name> -lbprofilename webapp_profile

add ns assignment null_assignment -variable $cookie_attribute -set “”

add policy expression exp_chrome “(HTTP.REQ.HEADER(\”User-Agent\”).CONTAINS(\”Chrom\”) && HTTP.REQ.HEADER(\”User-Agent\”).REGEX_SELECT(re/Chrom.*\\d+./).REGEX_SELECT(re/\\d+/).TYPECAST_NUM_T(DECIMAL).BETWEEN(51,66))”

add rewrite policy exception_list “exp_chrome” null_assignment

add ns assignment cookie_assignment -variable $cookie_attribute -set “\”SameSite=None; secure\“”

add rewrite policy append_samesite true cookie_assignment​

Please note, if both LiteralADCCookieAttribute and ComputedADCCookieAttribute are configured, ComputedADCCookieAttribute takes precedence.

Bind the above HTTP rewrite polices to the load balancing virtual server (LB vserver) front-ending your application.

bind lb vserver <LB vserver name > -policyName exception_list -priority 10 -gotoPriorityExpression END -type RESPONSE

bind lb vserver <LB vserver name > -policyName append_samesite_cookie -priority 20 -gotoPriorityExpression next -type RESPONSE

If all apps front-ended by the Citrix ADC have the same requirement to secure the ADC-generated cookies, you can bind the above rewrite policies to the global http response override bind point. This would enable you to avoid making the above changes for each of the application-specific LB vserver

bind rewrite global exception_list 10 END -type RES_OVERRIDE

bind rewrite global append_samesite_cookie 20 NEXT -type RES_OVERRIDE

Please note, when binding policies to an LB vserver or a global override bind point, make sure the goto priority expression parameter in the ‘bind’ command is set to ‘NEXT’ or to the next higher priority policy in the list that needs to be executed. This would enable other existing rewrite policies to be evaluated, along with the new SameSite related policies.

Enhancing ADC Cookie Security

To protect ADC-generated cookies from cross site scripting (XSS) attacks, we recommend adding the ‘httponly’ attribute, as shown below (in addition to the cookie attributes covered above). You should also encrypt your ADC-generated cookies to make them opaque to attackers.

set lb profile webapp_profile -httponlycookieflag enabled – useEncryptedPersistenceCookie enabled

Learn More

The ability to program protocol specifications, like cookies, to tailor a Citrix ADC configuration to meet your application needs is powerful. Learn more about Citrix ADC’s cookie-protection features and Citrix ADC policy infrastructure.