The web administrators may force Secure and/or HttpOnly flags on the Session ID and the authentication cookies that are generated by the web applications. Modifying Set-Cookie headers to include these two options can be done using an http Load Balancing Virtual Server and Rewrite Policies on a Netscaler appliance.

Background

• HttpOnly - This option on a cookie causes the web browsers to return the cookie using the http (or https) protocol only; the non-http methods such as JavaScript document.cookie references cannot access the Cookie. This option assists in preventing Cookie theft due to cross-site scripting.
• Secure - This option on a cookie causes the web browsers to return only the cookie value when the transmission is encrypted by SSL. This option can be used to prevent cookie theft through connection eavesdropping.

Instructions

Important! You cannot use the HttpOnly option when a web application requires access to Cookie contents by using a client-side script such as JavaScript or a client-side Java Applet. From the method mentioned in this article, only server-generated cookies can be rewritten, not the cookies generated by NetScaler Appliance (for ex: AppFirewall, persistence, VPN session cookies, and so on)

HttpOnly flag on NSC_AAAC and NSC_TMAS cookies is available in the 13.0-79.x and later releases (disabled and hidden by default).
Use the following commands to enable/disable the feature.

• To enable:
  • set aaa parameter -httpOnlyCookie ENABLED
• To disable:
  • set aaa parameter -httpOnlyCookie DISABLED
• To check the status of the feature below nsapimgr knob can be used (Since CLI command is hidden, `show aaa parameter` will not display this parameter)
  • shell nsapimgr_wr.sh -ys call=is_httponly_cookie_enabled
  • This will result in a debug log similar to below in /var/log/ns.log.
  • Nov 15 15:33:45 <local0.debug> xx.xxx.xxx.xxx 03/20/2021:15:33:45 GMT EDC-HOST-NS1 0-PPE-0 : default SSLVPN Message 686 0 :  "is_httponly_cookie_enabled: Httponly cookie support is enabled" 

Note: This procedure is not applicable to VPN Vservers.

To configure the NetScaler appliance to force the Secure and HttpOnly flags for an existing HTTP virtual server, complete the following steps:

Using NetScaler GUI

1. Go to Rewrite > Actions, and then click add to add a new rewrite action.

   

2. Go to Rewrite > Policies and then click add to add a new Rewrite policy.

   

3. Go to Load Balancing > Virtual Servers and then bind the Rewrite (Response) policy to the corresponding SSL VServer.

   

Using NetScaler CLI

1. Create a rewrite action (this example is configured to set both Secure and HttpOnly flags. If either one is missing, modify it as necessary for other combinations).
   add rewrite action act_cookie_Secure replace_all http.RES.full_Header "\"Secure; HttpOnly; path=/\"" -search "regex(re!(path=/\\; Secure; HttpOnly)|(path=/\\; Secure)|(path=/\\; HttpOnly)|(path=/)!)" -bypassSafetyCheck YES
   This policy will replace all instances of "path=/", "path=/; Secure", "path=/; Secure; HttpOnly" and  "path=/; HttpOnly" with "Secure; HttpOnly; path=/". Note that this regex fail if the case doesn't match.

2. Create a rewrite policy to trigger the action.
   add rewrite policy rw_force_secure_cookie "http.RES.HEADER(\"Set-Cookie\").EXISTS" act_cookie_Secure

3. Bind the rewrite policy to the VServer to be secured (if Secure option is used, an SSL VServer should be used).
   bind lb vserver mySSLVServer -policyName rw_force_secure_cookie -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
   
   Example:
   Before Rewrite:< Set-Cookie: CtxsAuthId=C5614491; path=/Citrix/ProdWeb/
   After Rewrite: < Set-Cookie: CtxsAuthId=C5614491; Secure; HttpOnly; path=/Citrix/ProdWeb/

HTTP cookie