Secure Mobile Access 100 10.2 Administration Guide

How Does Cookie Tampering Protection Work?

The SonicWall SMA appliance protects important server-side cookies from tampering. There are two kinds of cookies:

Server-Side Cookies – These cookies are generated by backend web servers. They are important and have to be protected. They have optional attributes like Path, Domain, Secure, and HttpOnly.

Client-Side Cookies – These cookies are created by client side scripts in user browsers. They are not safe, and can be easily tampered with.

This feature is found on the Web Application Firewall > Settings page.

This page contains the following options:

Portals – A list of all application offloading portals. Each portal has its own settings. The item Global is the default setting for all portals.

Tamper Protection Mode – Three modes are available:

  • Disabled – Cookie tamper protection is disabled.
  • Detect only – Log the tampered cookies only.
  • Prevent – Strip all the tampered cookies and log them.
  • Inherit Global – Use the global setting for this portal. This option is not available when Global is selected from the Portals drop-down menu.

Encrypt Server Cookies – Choose to encrypt name and value separately. This affects client-side script behavior because it makes cookie names or values unreadable. Only server-side cookies are encrypted by these options.

Cookie Attributes – The attributes HttpOnly and Secure are appended to server-side cookies if they are enabled.

The attribute HttpOnly prevents the client-side scripts from accessing the cookies, which is important in mitigating attacks such as Cross Site Scripting and session hijacking. The attribute Secure ensures that the cookies are transported only in HTTPS connections. Both together add a strong layer of security for the server-side cookies.

By default, the attribute Secure is always appended to an HTTP connection even if Cookie Tampering Protection is disabled. This behavior is a configurable option, and can be turned off.

Client Cookies – The Client Cookies Allow option is enabled by default. In Strict mode, the Allow option is disabled. When disabled, client-side cookies are not allowed to be sent to the backend systems. This option does not affect server-side cookies.

Exclusion List – If the Exclusion List is enabled and contains a cookie, the cookie is passed as usual and is not protected. You can exclude server-side cookies and client-side cookies.

Exclusion list items are case sensitive, and in the format ‘CookieName@CookiePath’. Cookies with the same name and different paths are treated as different cookies. ‘CookiePath’ can be left empty to represent any path.

Import Global – Application Offloading portals can import the Global exclusion list.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.