topic HI KanwalThank you for the in Application Networking

ACE Cookie insert

craig bache — Mon, 21 Jul 2014 18:05:57 GMT

Hi All

I am hoping someone can help with the following on the Cisco ACE, this is the ACE20.

A scan of our environment has revealed a vulnerability in the application hosted on ACE Load Balancer due to ACE inserting a predictable cookie for sticky http sessions.

The cookie type used is cookie insert browser-expire, I believe this is expected as the cookie value is derived from a combination from the serverfarm name, rserver name, and rserver port.

Is there anyway to changed this so the cookie is not predictable....

Thanks Craig

Hi Craig,I was wrong. You can

Kanwaljeet Singh — Mon, 21 Jul 2014 18:18:16 GMT

Hi Craig,

I was wrong. You can actually define the string of your choice. Please have a look below:

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA4_2_0/configuration/slb/guide/slbcfggd/rsfarms.html#wpxref94060

Configuring a Real Server Cookie Value for Cookie Insertion

From the above link:

You can enter a cookie string value of a real server that you want to use for HTTP cookie insertion by using the cookie-string value command in server farm real server configuration mode. You can configure one cookie string for each real server. Valid entries are text strings with a maximum of 32 alphanumeric characters. You can include spaces and special characters in a cookie string value provided that the spaces and special characters are included in double quotes (for example, "test cookie string"). If you use quotes in a cookie string, the specified cookie-string value appears in double quotes in the running-configuration file.

Use cookie insertion when you want to use a session cookie for persistence if the server is not currently setting the appropriate cookie. With this feature enabled, the ACE inserts the cookie in the Set-Cookie header of the response from the server to the client.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hi Craig,So something like

Kanwaljeet Singh — Mon, 21 Jul 2014 18:23:23 GMT

Hi Craig,

So something like this you can do in the serverfarm.

switch/Admin(config)# do sh running-config serverfarm XXX
Generating configuration....

serverfarm host XXX
rserver xxx1
cookie-string "test123"
inservice

Now, ACE shall use the above string for cookie insertion and it will point to rserver xxx1. You should have different string for each rserver under the serverfarm.

Hope this helps!

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hi Craig,I don't think there

Kanwaljeet Singh — Mon, 21 Jul 2014 18:33:33 GMT

HI KanwalThank you for the

craig bache — Mon, 21 Jul 2014 18:43:19 GMT

HI Kanwal

Thank you for the response, I take it this command was introduced in A4. I have checked the configuration guide on the latest software for the ACE20 and I have not been able to see this setting.

Regards Craig

Hi Craig,I don't see it

Kanwaljeet Singh — Mon, 21 Jul 2014 19:10:27 GMT

Hi Craig,

I don't see it either. It seems that it was never added to ace20. Only for appliance and ace30. With ACE end of life i don't see that it would be introduced either.

Regards,

Kanwal

Note:Please mark answers if they are helpful.

Hi Craig,I confirmed it and

Kanwaljeet Singh — Mon, 21 Jul 2014 19:29:56 GMT

Hi Craig,

I confirmed it and you don't have this option in ACE20. Do you think you can try and configure static cookie? But you have limitation of 4095 static cookies only.

sticky http-cookie ACE COOKIE1

cookie insert

serverfarm Cookie-Sticky-Farm

1 static cookie-value "PC1" rserver PC1-1

2 static cookie-value "PC11" rserver PC2-1

Regards,

Kanwal

Hi KanwalThanks for the

craig bache — Tue, 22 Jul 2014 07:49:49 GMT

Hi Kanwal

Thanks for the response, I take it this will be a predictable cookie as the value is static.

Regards Craig

Hi Craig,You can define any

Kanwaljeet Singh — Tue, 22 Jul 2014 16:58:48 GMT

Hi Craig,

You can define any anything there like "2 static cookie-value Test rserver PC2-1" and that will not make it predictable since it is not being generated by ACE depending upon standard parameters like rserver name etc.

Regards,

Kanwal

Note:Please mark answers if they are helpful.