2

I need to rewrite all cookies in the website to have HttpOnly, Secure, and SameSite=lax because of vulnerability tool findings.

Sample cookies:

 cookie1 = oiu3ou2o3u2o42uo2;
 cookie2 = 0830413o4o1uo4uo1u;HttpOnly;
 cookie3 = 040382048308108814081;HttpOnly;Secure;
 cookie4 = 80jafjlajdflajfldjaljf;HttpOnly;Secure;SameSite=lax;

Expected result in response header;

Set-Cookie: cookie1=oiu3ou2o3u2o42uo2;HttpOnly;Secure;SameSite=lax;
Set-Cookie: cookie2=0830413o4o1uo4uo1u;HttpOnly;Secure;SameSite=lax;
Set-Cookie: cookie3=040382048308108814081;HttpOnly;Secure;SameSite=lax;

This is my rewrite outbound rules

<rewrite>
        <outboundRules>
           <rule name="Add HttpOnly">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
                <conditions>
                    <add input="{R:0}" pattern="; httpOnly" negate="true" />
                </conditions>
                <action type="Rewrite" value="{R:0}; HttpOnly" />
            </rule>
            <rule name="Add Secure">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
                <conditions>
                    <add input="{R:0}" pattern="; Secure" negate="true" />
                </conditions>
                <action type="Rewrite" value="{R:0}; Secure" />
            </rule>
            <rule name="add Samesite">
              <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
                <conditions>
                    <add input="{R:0}" pattern="; sameSite" negate="true" />
                </conditions>
              <action type="Rewrite" value="{R:0}; SameSite=lax" />
            </rule> 
        </outboundRules>
    </rewrite>

Result (I cant figure out why I'm seeing this one).

 Set-Cookie: ; HttpOnly; Secure; SameSite=lax
 Set-Cookie: cookie1=oiu3ou2o3u2o42uo2;

I'm doing this one in windows server 2008 R2/ IIS7,

iCeR
  • 139
  • 3
  • 15

1 Answers1

0

The rule works fine on my mutiple local instances. So it looks just like the Set-cookie header with cookie is generated after rewrite outbound rule.

Could you explain how did you generate the set-cookie header? Did you return the cookie via proxy? It is recommended to enable failed request tracing and it should tell us what's going on these.

https://learn.microsoft.com/en-us/iis/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis

enter image description here

enter image description here

Jokies Ding
  • 3,374
  • 1
  • 5
  • 10
  • The cookie comes from a load balancer. Is it possible to modify those cookie attributes? – iCeR Aug 26 '20 at 08:52