You are here

Cookie Parsing (RFC 6265)

Affects product: 
Airlock WAF

With Airlock WAF 7.4 the default parsing mechanism for cookies will change. The cookie parsing will be conform to RFC 6265 and can also be enabled in the maintenance releases 7.3.2 and 7.2.4.

The old as well as the new parser can break certain applications which do not respect the newest RFCs. This article provides technical information of the change.

Why did Airlock WAF change the cookie parsing

The old behavior breaks applications who set cookies with unencoded commas in their values. Even when commas in cookie values are not allowed according to RFC 6265, such cookies are accepted by all modern browsers and set by certain applications. Airlock WAF changed the cookie parsing to be compatible with such applications.

Why Airlock WAF parses cookies at all

Airlock WAF implements a cookie store. Cookies are not exposed to the client by default. This prevents various attacks on cookies and enables secure cookie exchange between back-ends. Airlock WAF further supports passing cookies directly to the client, either in cleartext or encrypted.

These features require that Airlock WAF parses all cookies in HTTP requests as well as in HTTP responses.

What changed

The old parser splits cookies by comma and semicolon.

Example:

Set-Cookie: A=X,B=Y

Airlock WAF sees 2 cookies here: A=X and B=Y

This breaks applications sending commas in cookie values:

Set-Cookie: Nonce=aaa,bbb

The parser modification affects the request header "Cookie" als well as the response header "Set-Cookie".

What the specifications say

Cookie parsing is described in three different RFCs. Here are some statements from these RFCs. [1] describes the difficulties regarding cookie parsing specifications quite well.

RFC 2109 from 1997: Allows multiple cookies within the same Set-Cookie header. Servers should accept comma and semicolon separated cookies (Airlock WAF default behavior before version 7.4).

RFC 2965 from 2000: Added a new definition of cookies (Set-Cookie2 header) that was later deprecated in RFC 6265.

RFC 6265 from 2011: Forbids multiple cookie values within the same Set-Cookie response header. Also forbids commas in cookie values. Further, forbids multiple Cookie headers in requests.

The new implementation of Airlock WAF follows the newest RFC 6265 which is also implemented by all modern browsers and most modern web application servers.

Incompatible applications

While fixing certain applications with this change, the change can break other applications not following the new RFC. We are currently only aware of certain client side frameworks which are incompatible with the new behavior. Web browsers are not affected. If you are migrating a non web browser client (e.g. a Java client application) from Airlock WAF before version 7.4 to a newest Airlock WAF version, you should carefully test the application.

In the following cases the application will probably break:

  • If the client sends cookie values separated by comma
  • If the client sends multiple Cookie headers in a request. Cookies must be sent in a single, semicolon-separated, cookie header.

In the following cases the application may break:

  • If the server sends multiple cookies in the same Set-Cookie header

We are aware that the RESTful Web Service framework "Jersey" is affected by the first issue (bug report: [2]).

Note that such applications would also be incompatible with other reverse proxies or application servers following the new RFC, like newer Tomcat servers.

Configuration Settings

The following two configuration settings are available in Airlock WAF 7.3.2, 7.2.4, 7.4 and above.

Apache Expert Setting, globally or on virtual host

AirlockLegacyCookieParsing "TRUE" | "FALSE" 

SG Expert Setting, globally or on virtual host

LegacyCookieParsing "TRUE" | "FALSE"

The Apache Expert Setting is used to configure the cookie parsing of the HTTP request (HTTP header name "Cookie").

The SG Expert Setting is used to configure the cookie parsing of the HTTP response (HTTP header name "Set-Cookie").

Note that the settings must be configured in the corresponding Expert Settings sections.

The defaults for the settings are:

For Airlock WAF 7.3.2 and 7.2.4: Legacy parsing is enabled, so that the maintenance update will not change the cookie parsing and therefore will not break any running application.

For Airlock WAF 7.4 and above: Legacy parsing is disabled to be compatible with RFC 6265.

The following table describes how we recommend to configure Airlock WAF

Application-Type What would be the "correct" behavior of the application Airlock WAF version Configuration recommendation
Common applications fully compliant with RFC 6265 (most applications) - All Airlock WAF versions Use default settings
Applications sending commas in cookie values Commas in cookie values must be encoded according to RFC 6265* 

7.3.2 and above

7.2.4 and above

Disable legacy cookie parsing

7.4 and above

Use default settings

 

 

Clients sending multiple request cookie headers

Cookies in HTTP requests must be sent in a single Cookie header*

7.4 and above Enable legacy cookie parsing

There may be other special client behaviors not mentioned in this table.

*We recommend updating or fixing affected applications so that they are compatible with RFC 6265.

Please let us know if your application is not working with the new Airlock WAF cookie parsing scheme and you are using a common and modern framework for cookie handling, because we intend to deprecate the legacy parsing in future.

References

[1] https://daniel.haxx.se/blog/2011/04/28/the-cookie-rfc-6265/
[2] https://github.com/eclipse-ee4j/jersey/issues/2811