Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Subscribers 4 subscribers
  • Views 4505 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SameSite setting for ROUTERID-cookies

M.D. Klapwijk

We seem to have some trouble with the SameSite setting missing in the ROUTERID-cookies used by the Webserver protection session stickiness. Since the introduction of Chrome 80 we see an increase of users not returning to the same real servers. This only seems to happen when the user returns to our domain via a POST-request from an external site and seems to has all to do with the defaulting to 'lax' by Chrome >80.

Does anybody also seen this or know how to work around this (other then hacking the httpd.conf files)? 



This thread was automatically locked due to age.
  • 0

    Hello M.D

    Thank you for contacting the Sophos Community.

    I asked a senior Support Engineer, but they requested if you have any example so we can ask DEV about this, it might just be an issue with Chrome 80.

    Do you have any log that you can share?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • +1 in reply to emmosophos

    Hi Emmanuel,

    As a temporary fix we've done the following on our UTM's:

    sed -i.old 's/secure" env=BALANCER_ROUTE_CHANGED/secure; SameSite=None" env=BALANCER_ROUTE_CHANGED/' /var/storage/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf
    /var/mdw/scripts/reverseproxy restart

    The problem manifests itself when we send users to external payment/transaction pages from which they return with an HTTP-POST request:

    2020:08:03-16:48:10 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" time="5189" url="/payment/" server="payment.ourdomain.com" port="443" query="?transaction=12BldOAW6ahd43lfKswziZrXXXXXXXXXXXXXXXXX&lang=fr_FR" referer="www.ourcustomer.fr/.../ cookie="-" set-cookie="PHPSESSID=st6tnfcsq9j6jqb2dpr72etsv5; path=/; domain=payment.ourdomain.com; secure; HttpOnly, ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node1; path=/; httponly; secure" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XygjqmmthQ3Q7CWYvyUDxwAAAU8"
    ...
    2020:08:03-16:51:15 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="14" user="-" host="17.28.x.x" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="49676" url="/favicon.ico" server="payment.ourdomain.com" port="443" query="" referer="payment.ourdomain.com/.../ cookie="PHPSESSID=st6tnfcsq9j6jqb2dpr72etsv5; ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node1; __cfduid=d4e77b66272078e2512821e98140851a01596466092; _ga=GA1.2.1809436613.1596466157; _gid=GA1.2.51278862.1596466157" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XygkYwuS44FLy5unoyxKwQAAAa0"
    2020:08:03-16:51:33 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="-" statuscode="408" reason="-" extra="-" exceptions="-" time="3" url="-" server="-" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="-"
    2020:08:03-16:51:53 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="POST" statuscode="302" reason="-" extra="-" exceptions="-" time="1927255" url="/payment/ext-cmplt/" server="payment.ourdomain.com" port="443" query="?type=directmerchantdeposit&mspid=38XXXXXXXXXXXX" referer="sg-3ds.wlp-acs.com/.../paRequestFromAuthPages" cookie="-" set-cookie="PHPSESSID=3poqtt7bvktg5pjd9m94q9fpk2; path=/; domain=payment.ourdomain.com; secure; HttpOnly, ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node2; path=/; httponly; secure" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Xygkh-6d5VZZUwGx3xxAIQAAADw"
    2020:08:03-16:51:53 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" time="4141" url="/payment/ext-cmplt/" server="payment.ourdomain.com" port="443" query="?type=directmerchantdeposit&mspid=38XXXXXXXXXXXX" referer="sg-3ds.wlp-acs.com/.../paRequestFromAuthPages" cookie="__cfduid=d4e77b66272078e2512821e98140851a01596466092; _ga=GA1.2.1809436613.1596466157; _gid=GA1.2.51278862.1596466157; PHPSESSID=3poqtt7bvktg5pjd9m94q9fpk2; ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node2" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Xygkif6d5VZZUwGx3xxANAAAADw"

    Regards,

     

    Marcel

     

    P.S. Do not forget that any changes in 'webserver protection' done in the GUI will revert these changes, as will an HA-switch-over!

  • 0 in reply to emmosophos

    Hello Emmosophos,

     

    We are having the same issue. Apparently Chrome changed something a few weeks ago. You can read about that change here.

    https://www.chromestatus.com/feature/5088147346030592

    I guess we need to be able to change that SameSite attribute of the cookie the UTM sends for the routeid.

    I hope you can help.

  • 0 in reply to M.D. Klapwijk

    Hello M.D

    Thank you for the follow-up and the workaround.

    I will ask the Senior Engineer about this, now that you have provided the example to see if we can bring up as a question to DEV for them to tell what would be the path to follow.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hello M.D,

    The Senior Engineer is asking if you could provide the Config file before the sed command and after the sed command.

    Please send this via PM.

    And also do you have multiple real servers for the virtual server or is it just one and one?

     

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to Martijn Bouman

    Hello Martijn,

    Thank you for contacting the Sophos Community and the Link.

    If you haven't done the work around provided above your post, please do it for now, also if possible please send us the config file before and after the change. 

    And also do you have multiple real servers for the virtual server or is it just one and one?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    redacted modified /var/storage/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf:

    KeepAlive On
    ServerName utm-01.ourcompany.com
    ServerAdmin sysadmin@ourcompany.com
    SSLProtocol -all +TLSv1.1 +TLSv1.2
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS
    RemoteIPProxyProtocol Off
    Listen 165.59.129.20:443 https
    Listen 165.59.129.20:80 http
    <VirtualHost 165.59.129.20:443>
     ServerName ourcompany.com
     ServerAlias 165.59.129.20
     SSLProxyEngine On
     SSLEngine On
     SSLCertificateFile /usr/apache/conf/ssl/REF_CaHosOur2020010.pem
     SSLCACertificatePath /usr/apache/conf/cacerts/
     SSLCertificateKeyFile /usr/apache/conf/ssl/REF_CaHosOur2020010.key
     ProxyPreserveHost On
     SecRuleEngine Off
     RequestHeader set X-Forwarded-Proto https
     DocumentRoot /var/www/REF_RevFroOurpay12922
     SetEnv proxy-initial-not-pooled
     <Proxy balancer://258030ef20bcfe4db4a6d742388e7563>
     BalancerMember http://192.168.6.22 status=-SE timeout=300 route=node1
     BalancerMember http://192.168.6.33 status=-SE timeout=300 route=node2
     ProxySet stickysession=ROUTEID.258030ef20bcfe4db4a6d742388e7563
     </Proxy>
     <Location "/">
     SetEnv proxy-aside-c
     Header add Set-Cookie "ROUTEID.258030ef20bcfe4db4a6d742388e7563=.%{BALANCER_WORKER_ROUTE}e; path=/; httponly; secure; SameSite=None" env=BALANCER_ROUTE_CHANGED
     ProxyPass "balancer://258030ef20bcfe4db4a6d742388e7563/" lbmethod=bybusyness
     ProxyPassReverse "http://192.168.6.22:80/"
     ProxyPassReverse "http://192.168.6.22/"
     ProxyPassReverse "http://192.168.6.33:80/"
     ProxyPassReverse "http://192.168.6.33/"
     ProxyPassReverse "http://*.ourcompany.com/"
     ProxyPassReverse "http://ourcompany.com/"
     ProxyPassReverse "http://165.59.129.20/"
     SetOutputFilter DEFLATE
     <RequireAll>
     Require all granted
     </RequireAll>
     </Location>
    </VirtualHost>
    <VirtualHost 165.59.129.20:80>
     ServerName REF_RevFroOurpay12922_redirect_ssl
     ServerAlias *.ourcompany.com
     ServerAlias ourcompany.com
     ServerAlias 165.59.129.20
     <Location />
     Require all granted
     RedirectSSL permanent / 443
     </Location>
    </Virtualhost>
    <VirtualHost 165.59.129.20:443>
     ServerName REF_RevFroOurpay12922
     ServerAlias *.ourcompany.com
     UseCanonicalName Off
     SSLProxyEngine On
     SSLEngine On
     SSLCertificateFile /usr/apache/conf/ssl/REF_CaHosOur2020010.pem
     SSLCACertificatePath /usr/apache/conf/cacerts/
     SSLCertificateKeyFile /usr/apache/conf/ssl/REF_CaHosOur2020010.key
     ProxyPreserveHost On
     SecRuleEngine Off
     RequestHeader set X-Forwarded-Proto https
     DocumentRoot /var/www/REF_RevFroOurpay12922
     SetEnv proxy-initial-not-pooled
     <Proxy balancer://258030ef20bcfe4db4a6d742388e7563>
     BalancerMember http://192.168.6.22 status=-SE timeout=300 route=node1
     BalancerMember http://192.168.6.33 status=-SE timeout=300 route=node2
     ProxySet stickysession=ROUTEID.258030ef20bcfe4db4a6d742388e7563
     </Proxy>
     <Location "/">
     SetEnv proxy-aside-c
     Header add Set-Cookie "ROUTEID.258030ef20bcfe4db4a6d742388e7563=.%{BALANCER_WORKER_ROUTE}e; path=/; httponly; secure; SameSite=None" env=BALANCER_ROUTE_CHANGED
     ProxyPass "balancer://258030ef20bcfe4db4a6d742388e7563/" lbmethod=bybusyness
     ProxyPassReverse "http://192.168.6.22:80/"
     ProxyPassReverse "http://192.168.6.22/"
     ProxyPassReverse "http://192.168.6.33:80/"
     ProxyPassReverse "http://192.168.6.33/"
     ProxyPassReverse "http://*.ourcompany.com/"
     ProxyPassReverse "http://ourcompany.com/"
     ProxyPassReverse "http://165.59.129.20/"
     SetOutputFilter DEFLATE
     <RequireAll>
     Require all granted
     </RequireAll>
     </Location>
    </VirtualHost>
    <VirtualHost 165.59.129.20:80>
     ServerName REF_RevFroOurpay12922_redirect_ssl
     ServerAlias *.ourcompany.com
     ServerAlias ourcompany.com
     ServerAlias 165.59.129.20
     <Location />
     Require all granted
     RedirectSSL permanent / 443
     </Location>
    </Virtualhost>

     

    redacted original /var/storage/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf.old:

    KeepAlive On
    ServerName utm-01.ourcompany.com
    ServerAdmin sysadmin@ourcompany.com
    SSLProtocol -all +TLSv1.1 +TLSv1.2
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS
    RemoteIPProxyProtocol Off
    Listen 165.59.129.20:443 https
    Listen 165.59.129.20:80 http
    <VirtualHost 165.59.129.20:443>
     ServerName ourcompany.com
     ServerAlias 165.59.129.20
     SSLProxyEngine On
     SSLEngine On
     SSLCertificateFile /usr/apache/conf/ssl/REF_CaHosOur2020010.pem
     SSLCACertificatePath /usr/apache/conf/cacerts/
     SSLCertificateKeyFile /usr/apache/conf/ssl/REF_CaHosOur2020010.key
     ProxyPreserveHost On
     SecRuleEngine Off
     RequestHeader set X-Forwarded-Proto https
     DocumentRoot /var/www/REF_RevFroOurpay12922
     SetEnv proxy-initial-not-pooled
     <Proxy balancer://258030ef20bcfe4db4a6d742388e7563>
     BalancerMember http://192.168.6.22 status=-SE timeout=300 route=node1
     BalancerMember http://192.168.6.33 status=-SE timeout=300 route=node2
     ProxySet stickysession=ROUTEID.258030ef20bcfe4db4a6d742388e7563
     </Proxy>
     <Location "/">
     SetEnv proxy-aside-c
     Header add Set-Cookie "ROUTEID.258030ef20bcfe4db4a6d742388e7563=.%{BALANCER_WORKER_ROUTE}e; path=/; httponly; secure" env=BALANCER_ROUTE_CHANGED
     ProxyPass "balancer://258030ef20bcfe4db4a6d742388e7563/" lbmethod=bybusyness
     ProxyPassReverse "http://192.168.6.22:80/"
     ProxyPassReverse "http://192.168.6.22/"
     ProxyPassReverse "http://192.168.6.33:80/"
     ProxyPassReverse "http://192.168.6.33/"
     ProxyPassReverse "http://*.ourcompany.com/"
     ProxyPassReverse "http://ourcompany.com/"
     ProxyPassReverse "http://165.59.129.20/"
     SetOutputFilter DEFLATE
     <RequireAll>
     Require all granted
     </RequireAll>
     </Location>
    </VirtualHost>
    <VirtualHost 165.59.129.20:80>
     ServerName REF_RevFroOurpay12922_redirect_ssl
     ServerAlias *.ourcompany.com
     ServerAlias ourcompany.com
     ServerAlias 165.59.129.20
     <Location />
     Require all granted
     RedirectSSL permanent / 443
     </Location>
    </Virtualhost>
    <VirtualHost 165.59.129.20:443>
     ServerName REF_RevFroOurpay12922
     ServerAlias *.ourcompany.com
     UseCanonicalName Off
     SSLProxyEngine On
     SSLEngine On
     SSLCertificateFile /usr/apache/conf/ssl/REF_CaHosOur2020010.pem
     SSLCACertificatePath /usr/apache/conf/cacerts/
     SSLCertificateKeyFile /usr/apache/conf/ssl/REF_CaHosOur2020010.key
     ProxyPreserveHost On
     SecRuleEngine Off
     RequestHeader set X-Forwarded-Proto https
     DocumentRoot /var/www/REF_RevFroOurpay12922
     SetEnv proxy-initial-not-pooled
     <Proxy balancer://258030ef20bcfe4db4a6d742388e7563>
     BalancerMember http://192.168.6.22 status=-SE timeout=300 route=node1
     BalancerMember http://192.168.6.33 status=-SE timeout=300 route=node2
     ProxySet stickysession=ROUTEID.258030ef20bcfe4db4a6d742388e7563
     </Proxy>
     <Location "/">
     SetEnv proxy-aside-c
     Header add Set-Cookie "ROUTEID.258030ef20bcfe4db4a6d742388e7563=.%{BALANCER_WORKER_ROUTE}e; path=/; httponly; secure" env=BALANCER_ROUTE_CHANGED
     ProxyPass "balancer://258030ef20bcfe4db4a6d742388e7563/" lbmethod=bybusyness
     ProxyPassReverse "http://192.168.6.22:80/"
     ProxyPassReverse "http://192.168.6.22/"
     ProxyPassReverse "http://192.168.6.33:80/"
     ProxyPassReverse "http://192.168.6.33/"
     ProxyPassReverse "http://*.ourcompany.com/"
     ProxyPassReverse "http://ourcompany.com/"
     ProxyPassReverse "http://165.59.129.20/"
     SetOutputFilter DEFLATE
     <RequireAll>
     Require all granted
     </RequireAll>
     </Location>
    </VirtualHost>
    <VirtualHost 165.59.129.20:80>
     ServerName REF_RevFroOurpay12922_redirect_ssl
     ServerAlias *.ourcompany.com
     ServerAlias ourcompany.com
     ServerAlias 165.59.129.20
     <Location />
     Require all granted
     RedirectSSL permanent / 443
     </Location>
    </Virtualhost>
  • 0 in reply to emmosophos

    Thank you for the reply.

     

    I will do the workaround later today.

    We have one virtual server, pointing to 3 real servers.

  • 0 in reply to M.D. Klapwijk

    Hello M.D

    Thank you for the follow-up and the files.

    I will check with the Senior Engineer. I will update you once I hear back from him. 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Unfiltered HTML