Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE Cookie insert

Hi All

I am hoping someone can help with the following on the Cisco ACE, this is the ACE20.

A scan of our environment has revealed a vulnerability in the application hosted on ACE Load Balancer due to ACE inserting a predictable cookie for sticky http sessions.

The cookie type used is cookie insert browser-expire, I believe this is expected as the cookie value is derived from a combination from the serverfarm name, rserver name, and rserver port.

Is there anyway to changed this so the cookie is not predictable....

Thanks Craig

8 REPLIES
Cisco Employee

Hi Craig,I was wrong. You can

Hi Craig,

I was wrong. You can actually define the string of your choice. Please have a look below:

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA4_2_0/configuration/slb/guide/slbcfggd/rsfarms.html#wpxref94060

 

Configuring a Real Server Cookie Value for Cookie Insertion

From the above link:

You can enter a cookie string value of a real server that you want to use for HTTP cookie insertion by using the cookie-string value command in server farm real server configuration mode. You can configure one cookie string for each real server. Valid entries are text strings with a maximum of 32 alphanumeric characters. You can include spaces and special characters in a cookie string value provided that the spaces and special characters are included in double quotes (for example, "test cookie string"). If you use quotes in a cookie string, the specified cookie-string value appears in double quotes in the running-configuration file.

Use cookie insertion when you want to use a session cookie for persistence if the server is not currently setting the appropriate cookie. With this feature enabled, the ACE inserts the cookie in the Set-Cookie header of the response from the server to the client.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

New Member

HI KanwalThank you for the

HI Kanwal

Thank you for the response, I take it this command was introduced in A4. I have checked the configuration guide on the latest software for the ACE20 and I have not been able to see this setting.

Regards Craig

Cisco Employee

Hi Craig,I don't see it

Hi Craig,

I don't see it either. It seems that it was never added to ace20. Only for appliance and ace30. With ACE end of life i don't see that it would be introduced either.

Regards,

Kanwal

 

Note:Please mark answers if they are helpful.

Cisco Employee

Hi Craig,I confirmed it and

Hi Craig,

I confirmed it and you don't have this option in ACE20. Do you think you can try and configure static cookie? But you have limitation of 4095 static cookies only.

sticky http-cookie ACE COOKIE1

cookie insert

serverfarm Cookie-Sticky-Farm

1 static cookie-value "PC1" rserver PC1-1

2 static cookie-value "PC11" rserver PC2-1

Regards,

Kanwal

New Member

Hi KanwalThanks for the

Hi Kanwal

Thanks for the response, I take it this will be a predictable cookie as the value is static.

Regards Craig

Cisco Employee

Hi Craig,You can define any

Hi Craig,

You can define any anything there like "2 static cookie-value Test rserver PC2-1" and that will not make it predictable since it is not being generated by ACE depending upon standard parameters like rserver name etc.

Regards,

Kanwal

Note:Please mark answers if they are helpful.

Cisco Employee

Hi Craig,So something like

Hi Craig,

So something like this you can do in the serverfarm.

switch/Admin(config)# do sh running-config serverfarm XXX
Generating configuration....

serverfarm host XXX
rserver xxx1
cookie-string "test123"
inservice

Now, ACE shall use the above string for cookie insertion and it will point to rserver xxx1. You should have different string for each rserver under the serverfarm.

Hope this helps!

Regards,

Kanwal

Note: Please mark answers if they are helpful.

 

Cisco Employee

Hi Craig,I don't think there

m

107
Views
5
Helpful
8
Replies