Cookie Jar Handler

Purpose

The Cookie Jar Handler only has an effect when the Session Handler is also active. In detection mode, the Cookie Jar Handler is ignored.

Cookies are used by many web applications to transmit the status between the browser and the web application. Virtually all web frameworks use a cookie to issue a session ID. Unfortunately this doesn’t always provide sufficient protection. Possible weak points include generating session IDs without cryptographic security or saving authorization information in cookies without the relevant validation of the values for the next request.

The Cookie Jar Handler allows you to secure cookies for your web application. Cookies then do no longer leave the web server, but are stored by vWAF in the session created by the Session Handler. Protected cookies are therefore no longer forwarded to the client. With a new request within the same session, vWAF inserts the cookies back into the request transparently.

All cookies that do still need to be passed to the client must be defined explicitly under allowedcookies. This may be desirable for permanent cookies that save the user’s preferred language or other individual settings, for example.

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are given the severity: low. (For details on severity levels, see Severity of Events Triggered by Handlers).

Recommendations for use

To protect web applications with cookies, this handler should always be active.

Attributes

Attribute Meaning

allowedcookies

Names of the cookies to be sent in the normal way between the web application and the client despite the Cookie Jar Handler being active.

The cookie specified in the Session Handler under cookiename is always permitted automatically and doesn't have to be entered here.

omit domain check

Usually, like a browser, vWAF runs the domain check for cookies of the web application.

If you enable this option, vWAF skips this check and sends cookies to the web application regardless of the domain / host restriction. This gives you the ability to share cookies with other hosts of the same domain.

log removed cookies

If this option is enabled, vWAF adds an entry to the application-specific log file each time it removes a cookie.

Usually you should only activate this option for debugging purposes if your web applications doesn't work properly after enabling the Cookie Jar Handler.

usertext

Optional:

Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave.

enable logging

Disable this option if you do not want vWAF to create a log file entry when the handler is executed. This can be useful to keep log files smaller in case the handler creates a large number of entries but you don't need these entries.

When in detection mode, disabling logging de facto makes the handler ineffective. Disabling logging also prevents the actions of the handler from being taken into account for the Top-10 lists in Attack Analysis, and from being listed in Reports .

To decrease the size of the log files, also consider to enable reduced logging, which excludes all non-handler-related information from the log files (see Editing Applications).

For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.