"<cookie-security_name>"

security-mode {no |encrypted | signed}

Enter the security mode for the cookie security policy

• no—FortiWeb does not apply cookie tampering protection or encrypt cookie values.

• encrypted—Encrypts cookie values the back-end web server sends to clients. Clients see encrypted cookies only. FortiWeb decrypts cookies submitted by clients before it sends them to the back-end server.

• signed—Prevents tampering (cookie poisoning) by tracking the cookie value. This option requires you to enable Session Management in the protection policy and the client to support cookies. For details, see waf web-protection-profile inline-protection.

  When FortiWeb receives the first HTTP or HTTPS request from a client, it uses a cookie to track the session. When you select this option, the session-tracking cookie includes a hash value that FortiWeb uses to detect tampering with the cookie from the back-end server response. If FortiWeb determines the cookie from the client has changed, it takes the specified action according to action {alert |alert_deny | block-period | remove_cookie | deny_no_log}.

action {alert |alert_deny | block-period | remove_cookie | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when it detects cookie poisoning:

• alert—Accept the request and generate an alert email and/or log message.

• alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
  

  You can customize the web page that FortiWeb returns to the client with the HTTP status code.

• block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <block-period_int>.
  

  Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. For details, see waf x-forwarded-for. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

• remove_cookie—Accept the request, but remove the poisoned cookie from the datagram before it reaches the web server, and generate an alert and/or log message.

• deny_no_log—Deny a request. Do not generate a log message.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. See config log disk and config log alertemail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

block-period <block-period_int>

severity {High |Medium | Low | Info}

trigger "trigger-policy_name>"

Enter the name of the trigger to apply when cookie poisoning is detected. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing trigger policies, type:

set trigger ?

cookie-replay-protection-type {no | IP}

Select whether FortiWeb uses the IP address of a request to determine the owner of the cookie.

Because the public IP of a client is not static in many environments, Fortinet recommends that you do not enable Cookie Replay.

Available only when security-mode {no |encrypted | signed} is encrypted.

max-age <max-age_int>

Set the cookie security attributes. Enter the maximum age, in minutes, permitted for cookies that do not have an “Expires” or “Max-Age” attribute. To configure no expiry age for cookies, enter 0.

secure-cookie {enable | disable}

Set the cookie security attributes. Enable to add the secure flag to cookies, which forces browsers to return the cookie only when the request is for an HTTPS page.

http-only {enable | disable}

allow-suspicious-cookies{Never |Always | Custom}

Select whether FortiWeb allows requests that contain cookies that it does not recognize or that are missing cookies.

• When security-mode {no |encrypted | signed} is encrypted, suspicious cookies are cookies for which FortiWeb does not have a corresponding encrypted cookie value.

• When cookie-replay-protection-type {no | IP} is IP, the suspicious cookie is a missing cookie that tracks the client IP address.

In many cases, when you first introduce the cookie security features, cookies that client browsers have cached earlier generate false positives. To avoid this problem, either select Never, or select Custom and enter an appropriate date on which to start taking the specified action against suspicious cookies.

• Never—FortiWeb does not take the action specified by action against suspicious cookies.
• Always—FortiWeb always takes the specified action against suspicious cookies.
• Custom—FortiWeb takes the specified action against suspicious cookies starting on the date specified by allow-time "<time_str>". This feature is not available if security-mode {no |encrypted | signed} is signed.

allow-time "<time_str>"

<entry_index>

cookie-name "<cookie-name_str>"

cookie-domain "<cookie-domain_str>"