We seem to have some trouble with the SameSite setting missing in the ROUTERID-cookies used by the Webserver protection session stickiness. Since the introduction of Chrome 80 we see an increase of users not returning to the same real servers. This only seems to happen when the user returns to our domain via a POST-request from an external site and seems to has all to do with the defaulting to 'lax' by Chrome >80.
Does anybody also seen this or know how to work around this (other then hacking the httpd.conf files)?
Hello M.D
Thank you for contacting the Sophos Community.
I asked a senior Support Engineer, but they requested if you have any example so we can ask DEV about this, it might just be an issue with Chrome 80.
Do you have any log that you can share?
Regards,
Hi Emmanuel,
As a temporary fix we've done the following on our UTM's:
sed -i.old 's/secure" env=BALANCER_ROUTE_CHANGED/secure; SameSite=None" env=BALANCER_ROUTE_CHANGED/' /var/storage/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf/var/mdw/scripts/reverseproxy restart
The problem manifests itself when we send users to external payment/transaction pages from which they return with an HTTP-POST request:
2020:08:03-16:48:10 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" time="5189" url="/payment/" server="payment.ourdomain.com" port="443" query="?transaction=12BldOAW6ahd43lfKswziZrXXXXXXXXXXXXXXXXX&lang=fr_FR" referer="www.ourcustomer.fr/.../ cookie="-" set-cookie="PHPSESSID=st6tnfcsq9j6jqb2dpr72etsv5; path=/; domain=payment.ourdomain.com; secure; HttpOnly, ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node1; path=/; httponly; secure" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XygjqmmthQ3Q7CWYvyUDxwAAAU8"...2020:08:03-16:51:15 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="14" user="-" host="17.28.x.x" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="49676" url="/favicon.ico" server="payment.ourdomain.com" port="443" query="" referer="payment.ourdomain.com/.../ cookie="PHPSESSID=st6tnfcsq9j6jqb2dpr72etsv5; ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node1; __cfduid=d4e77b66272078e2512821e98140851a01596466092; _ga=GA1.2.1809436613.1596466157; _gid=GA1.2.51278862.1596466157" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XygkYwuS44FLy5unoyxKwQAAAa0"2020:08:03-16:51:33 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="-" statuscode="408" reason="-" extra="-" exceptions="-" time="3" url="-" server="-" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="-"2020:08:03-16:51:53 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="POST" statuscode="302" reason="-" extra="-" exceptions="-" time="1927255" url="/payment/ext-cmplt/" server="payment.ourdomain.com" port="443" query="?type=directmerchantdeposit&mspid=38XXXXXXXXXXXX" referer="sg-3ds.wlp-acs.com/.../paRequestFromAuthPages" cookie="-" set-cookie="PHPSESSID=3poqtt7bvktg5pjd9m94q9fpk2; path=/; domain=payment.ourdomain.com; secure; HttpOnly, ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node2; path=/; httponly; secure" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Xygkh-6d5VZZUwGx3xxAIQAAADw"2020:08:03-16:51:53 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" time="4141" url="/payment/ext-cmplt/" server="payment.ourdomain.com" port="443" query="?type=directmerchantdeposit&mspid=38XXXXXXXXXXXX" referer="sg-3ds.wlp-acs.com/.../paRequestFromAuthPages" cookie="__cfduid=d4e77b66272078e2512821e98140851a01596466092; _ga=GA1.2.1809436613.1596466157; _gid=GA1.2.51278862.1596466157; PHPSESSID=3poqtt7bvktg5pjd9m94q9fpk2; ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node2" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Xygkif6d5VZZUwGx3xxANAAAADw"
Marcel
P.S. Do not forget that any changes in 'webserver protection' done in the GUI will revert these changes, as will an HA-switch-over!
Hello Emmosophos,
We are having the same issue. Apparently Chrome changed something a few weeks ago. You can read about that change here.
https://www.chromestatus.com/feature/5088147346030592
I guess we need to be able to change that SameSite attribute of the cookie the UTM sends for the routeid.
I hope you can help.
Thank you for the follow-up and the workaround.
I will ask the Senior Engineer about this, now that you have provided the example to see if we can bring up as a question to DEV for them to tell what would be the path to follow.
Hello M.D,
The Senior Engineer is asking if you could provide the Config file before the sed command and after the sed command.
Please send this via PM.
And also do you have multiple real servers for the virtual server or is it just one and one?
Hello Martijn,
Thank you for contacting the Sophos Community and the Link.
If you haven't done the work around provided above your post, please do it for now, also if possible please send us the config file before and after the change.
redacted modified /var/storage/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf:
KeepAlive OnServerName utm-01.ourcompany.comServerAdmin sysadmin@ourcompany.comSSLProtocol -all +TLSv1.1 +TLSv1.2SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSSRemoteIPProxyProtocol OffListen 165.59.129.20:443 httpsListen 165.59.129.20:80 http<VirtualHost 165.59.129.20:443> ServerName ourcompany.com ServerAlias 165.59.129.20 SSLProxyEngine On SSLEngine On SSLCertificateFile /usr/apache/conf/ssl/REF_CaHosOur2020010.pem SSLCACertificatePath /usr/apache/conf/cacerts/ SSLCertificateKeyFile /usr/apache/conf/ssl/REF_CaHosOur2020010.key ProxyPreserveHost On SecRuleEngine Off RequestHeader set X-Forwarded-Proto https DocumentRoot /var/www/REF_RevFroOurpay12922 SetEnv proxy-initial-not-pooled <Proxy balancer://258030ef20bcfe4db4a6d742388e7563> BalancerMember http://192.168.6.22 status=-SE timeout=300 route=node1 BalancerMember http://192.168.6.33 status=-SE timeout=300 route=node2 ProxySet stickysession=ROUTEID.258030ef20bcfe4db4a6d742388e7563 </Proxy> <Location "/"> SetEnv proxy-aside-c Header add Set-Cookie "ROUTEID.258030ef20bcfe4db4a6d742388e7563=.%{BALANCER_WORKER_ROUTE}e; path=/; httponly; secure; SameSite=None" env=BALANCER_ROUTE_CHANGED ProxyPass "balancer://258030ef20bcfe4db4a6d742388e7563/" lbmethod=bybusyness ProxyPassReverse "http://192.168.6.22:80/" ProxyPassReverse "http://192.168.6.22/" ProxyPassReverse "http://192.168.6.33:80/" ProxyPassReverse "http://192.168.6.33/" ProxyPassReverse "http://*.ourcompany.com/" ProxyPassReverse "http://ourcompany.com/" ProxyPassReverse "http://165.59.129.20/" SetOutputFilter DEFLATE <RequireAll> Require all granted </RequireAll> </Location></VirtualHost><VirtualHost 165.59.129.20:80> ServerName REF_RevFroOurpay12922_redirect_ssl ServerAlias *.ourcompany.com ServerAlias ourcompany.com ServerAlias 165.59.129.20 <Location /> Require all granted RedirectSSL permanent / 443 </Location></Virtualhost><VirtualHost 165.59.129.20:443> ServerName REF_RevFroOurpay12922 ServerAlias *.ourcompany.com UseCanonicalName Off SSLProxyEngine On SSLEngine On SSLCertificateFile /usr/apache/conf/ssl/REF_CaHosOur2020010.pem SSLCACertificatePath /usr/apache/conf/cacerts/ SSLCertificateKeyFile /usr/apache/conf/ssl/REF_CaHosOur2020010.key ProxyPreserveHost On SecRuleEngine Off RequestHeader set X-Forwarded-Proto https DocumentRoot /var/www/REF_RevFroOurpay12922 SetEnv proxy-initial-not-pooled <Proxy balancer://258030ef20bcfe4db4a6d742388e7563> BalancerMember http://192.168.6.22 status=-SE timeout=300 route=node1 BalancerMember http://192.168.6.33 status=-SE timeout=300 route=node2 ProxySet stickysession=ROUTEID.258030ef20bcfe4db4a6d742388e7563 </Proxy> <Location "/"> SetEnv proxy-aside-c Header add Set-Cookie "ROUTEID.258030ef20bcfe4db4a6d742388e7563=.%{BALANCER_WORKER_ROUTE}e; path=/; httponly; secure; SameSite=None" env=BALANCER_ROUTE_CHANGED ProxyPass "balancer://258030ef20bcfe4db4a6d742388e7563/" lbmethod=bybusyness ProxyPassReverse "http://192.168.6.22:80/" ProxyPassReverse "http://192.168.6.22/" ProxyPassReverse "http://192.168.6.33:80/" ProxyPassReverse "http://192.168.6.33/" ProxyPassReverse "http://*.ourcompany.com/" ProxyPassReverse "http://ourcompany.com/" ProxyPassReverse "http://165.59.129.20/" SetOutputFilter DEFLATE <RequireAll> Require all granted </RequireAll> </Location></VirtualHost><VirtualHost 165.59.129.20:80> ServerName REF_RevFroOurpay12922_redirect_ssl ServerAlias *.ourcompany.com ServerAlias ourcompany.com ServerAlias 165.59.129.20 <Location /> Require all granted RedirectSSL permanent / 443 </Location></Virtualhost>
redacted original /var/storage/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf.old:
KeepAlive OnServerName utm-01.ourcompany.comServerAdmin sysadmin@ourcompany.comSSLProtocol -all +TLSv1.1 +TLSv1.2SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSSRemoteIPProxyProtocol OffListen 165.59.129.20:443 httpsListen 165.59.129.20:80 http<VirtualHost 165.59.129.20:443> ServerName ourcompany.com ServerAlias 165.59.129.20 SSLProxyEngine On SSLEngine On SSLCertificateFile /usr/apache/conf/ssl/REF_CaHosOur2020010.pem SSLCACertificatePath /usr/apache/conf/cacerts/ SSLCertificateKeyFile /usr/apache/conf/ssl/REF_CaHosOur2020010.key ProxyPreserveHost On SecRuleEngine Off RequestHeader set X-Forwarded-Proto https DocumentRoot /var/www/REF_RevFroOurpay12922 SetEnv proxy-initial-not-pooled <Proxy balancer://258030ef20bcfe4db4a6d742388e7563> BalancerMember http://192.168.6.22 status=-SE timeout=300 route=node1 BalancerMember http://192.168.6.33 status=-SE timeout=300 route=node2 ProxySet stickysession=ROUTEID.258030ef20bcfe4db4a6d742388e7563 </Proxy> <Location "/"> SetEnv proxy-aside-c Header add Set-Cookie "ROUTEID.258030ef20bcfe4db4a6d742388e7563=.%{BALANCER_WORKER_ROUTE}e; path=/; httponly; secure" env=BALANCER_ROUTE_CHANGED ProxyPass "balancer://258030ef20bcfe4db4a6d742388e7563/" lbmethod=bybusyness ProxyPassReverse "http://192.168.6.22:80/" ProxyPassReverse "http://192.168.6.22/" ProxyPassReverse "http://192.168.6.33:80/" ProxyPassReverse "http://192.168.6.33/" ProxyPassReverse "http://*.ourcompany.com/" ProxyPassReverse "http://ourcompany.com/" ProxyPassReverse "http://165.59.129.20/" SetOutputFilter DEFLATE <RequireAll> Require all granted </RequireAll> </Location></VirtualHost><VirtualHost 165.59.129.20:80> ServerName REF_RevFroOurpay12922_redirect_ssl ServerAlias *.ourcompany.com ServerAlias ourcompany.com ServerAlias 165.59.129.20 <Location /> Require all granted RedirectSSL permanent / 443 </Location></Virtualhost><VirtualHost 165.59.129.20:443> ServerName REF_RevFroOurpay12922 ServerAlias *.ourcompany.com UseCanonicalName Off SSLProxyEngine On SSLEngine On SSLCertificateFile /usr/apache/conf/ssl/REF_CaHosOur2020010.pem SSLCACertificatePath /usr/apache/conf/cacerts/ SSLCertificateKeyFile /usr/apache/conf/ssl/REF_CaHosOur2020010.key ProxyPreserveHost On SecRuleEngine Off RequestHeader set X-Forwarded-Proto https DocumentRoot /var/www/REF_RevFroOurpay12922 SetEnv proxy-initial-not-pooled <Proxy balancer://258030ef20bcfe4db4a6d742388e7563> BalancerMember http://192.168.6.22 status=-SE timeout=300 route=node1 BalancerMember http://192.168.6.33 status=-SE timeout=300 route=node2 ProxySet stickysession=ROUTEID.258030ef20bcfe4db4a6d742388e7563 </Proxy> <Location "/"> SetEnv proxy-aside-c Header add Set-Cookie "ROUTEID.258030ef20bcfe4db4a6d742388e7563=.%{BALANCER_WORKER_ROUTE}e; path=/; httponly; secure" env=BALANCER_ROUTE_CHANGED ProxyPass "balancer://258030ef20bcfe4db4a6d742388e7563/" lbmethod=bybusyness ProxyPassReverse "http://192.168.6.22:80/" ProxyPassReverse "http://192.168.6.22/" ProxyPassReverse "http://192.168.6.33:80/" ProxyPassReverse "http://192.168.6.33/" ProxyPassReverse "http://*.ourcompany.com/" ProxyPassReverse "http://ourcompany.com/" ProxyPassReverse "http://165.59.129.20/" SetOutputFilter DEFLATE <RequireAll> Require all granted </RequireAll> </Location></VirtualHost><VirtualHost 165.59.129.20:80> ServerName REF_RevFroOurpay12922_redirect_ssl ServerAlias *.ourcompany.com ServerAlias ourcompany.com ServerAlias 165.59.129.20 <Location /> Require all granted RedirectSSL permanent / 443 </Location></Virtualhost>
Thank you for the reply.
I will do the workaround later today.
We have one virtual server, pointing to 3 real servers.
Thank you for the follow-up and the files.
I will check with the Senior Engineer. I will update you once I hear back from him.