Cookies generated by VPN Vserver lack Secure/SameSite/HttpOnly flags
Article ID: CTX330660
Updated On:
Description
Cookies generated by VPN Vserver lack Secure/SameSite/HttpOnly flags
Resolution
1. Secure
The Cookies listed here are actually used to flush the cookies. (As you can see, values are all “xyz” and expired, mean nothing)
As per test result, RfWebUI portal theme doesn’t have those “non-secure” cookies. If customer still have concerns, they can config RfWebUI portal theme as a workaround.
2. SameSite
To set the SameSite attribute at the VPN server level, use the following command.
set vpn vserver VP1 -SameSite [STRICT | LAX | None]
If the browser drops cross-site cookies, you can bind that cookie string to the existing ns_cookies_SameSite patset so that the SameSite attribute is added to the cookie.
Example:
bind patset ns_cookies_SameSite "NSC_TASS"
bind patset ns_cookies_SameSite "NSC_TMAS"
More configuration details refer to:
https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/configure-samesite-for-aaa-deployments.html
3. HttpOnly
HTTPOnly being flagged for cookies is not a vulnerability but considered a best practice. Scanners or simple observations of not knowing the use of the cookie can cause confusion as customers immediately suspect a vulnerability.
That said, HTTPOnly flag cannot be set by ADC for certain things, such as EPA cookies as these cookies have to be passed to the EPA Plugin and hence cannot have that attribute set or will fail to pass the cookie.
Also, it is not possible to rewrite the cookies generated by VPN Vserver by any means to include the httpOnly flag. Modifying Set-Cookie headers to include the option can be done using an http Load Balancing Virtual Server and Rewrite Policies on a Netscaler appliance.
More details refer to:
https://support.citrix.com/article/CTX306602
https://support.citrix.com/article/CTX219479
The Cookies listed here are actually used to flush the cookies. (As you can see, values are all “xyz” and expired, mean nothing)
As per test result, RfWebUI portal theme doesn’t have those “non-secure” cookies. If customer still have concerns, they can config RfWebUI portal theme as a workaround.
2. SameSite
To set the SameSite attribute at the VPN server level, use the following command.
set vpn vserver VP1 -SameSite [STRICT | LAX | None]
If the browser drops cross-site cookies, you can bind that cookie string to the existing ns_cookies_SameSite patset so that the SameSite attribute is added to the cookie.
Example:
bind patset ns_cookies_SameSite "NSC_TASS"
bind patset ns_cookies_SameSite "NSC_TMAS"
More configuration details refer to:
https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/configure-samesite-for-aaa-deployments.html
3. HttpOnly
HTTPOnly being flagged for cookies is not a vulnerability but considered a best practice. Scanners or simple observations of not knowing the use of the cookie can cause confusion as customers immediately suspect a vulnerability.
That said, HTTPOnly flag cannot be set by ADC for certain things, such as EPA cookies as these cookies have to be passed to the EPA Plugin and hence cannot have that attribute set or will fail to pass the cookie.
Also, it is not possible to rewrite the cookies generated by VPN Vserver by any means to include the httpOnly flag. Modifying Set-Cookie headers to include the option can be done using an http Load Balancing Virtual Server and Rewrite Policies on a Netscaler appliance.
More details refer to:
https://support.citrix.com/article/CTX306602
https://support.citrix.com/article/CTX219479
Problem Cause
Security vulnerability scan
Was this article helpful?
Yes
No
Powered by
