06-21-2016 02:27 AM
Hi,
Currently working on a WSA project setup in explicit mode. The customer wants to use cookie surrogate credentials instead of the default IP surrogate credentials because of improved security. I have 2 questions regarding the surrogate cookies:
1. It is documented cookie surrogate credentials do not work for HTTPS in an explicit proxy setup because the original request cannot be captured (sent after the HTTPS tunnel is setup) and cookies surrogates are not even attempted. Is this also true when HTTPS is being intercepted?
2. I'm seeing some weird behaviour when enabling cookie surrogate credentials for some websites (only noticed the behaviour on *.blogspot.be). It looks like the browser does not want to accept cookies for certain websites. This results in a redirect loop:
In more detail, the WSA sets the cookie for the final redirect:
But the request by the client following that redirect does not provide the cookie:
My common sense tells me it's a browser problem since the browser does not seem to want to provide the cookie set by the WSA but I've tried different browsers (IE and FF), multiple computers (W8 and Redhat linux) and very loose browser security settings. The results remained the same.
I'm wondering if somebody has some tips to further troubleshoot or recommendations to not use cookie surrogate credentials at all for an explicit proxy setup.
Kr
Solved! Go to Solution.
06-21-2016 05:53 PM
Looks like matching this defect https://tools.cisco.com/bugsearch/bug/CSCuo81967
06-21-2016 05:53 PM
Looks like matching this defect https://tools.cisco.com/bugsearch/bug/CSCuo81967
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide