This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SameSite setting for ROUTERID-cookies

We seem to have some trouble with the SameSite setting missing in the ROUTERID-cookies used by the Webserver protection session stickiness. Since the introduction of Chrome 80 we see an increase of users not returning to the same real servers. This only seems to happen when the user returns to our domain via a POST-request from an external site and seems to has all to do with the defaulting to 'lax' by Chrome >80.

Does anybody also seen this or know how to work around this (other then hacking the httpd.conf files)? 



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Emmanuel,

    As a temporary fix we've done the following on our UTM's:

    sed -i.old 's/secure" env=BALANCER_ROUTE_CHANGED/secure; SameSite=None" env=BALANCER_ROUTE_CHANGED/' /var/storage/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf
    /var/mdw/scripts/reverseproxy restart

    The problem manifests itself when we send users to external payment/transaction pages from which they return with an HTTP-POST request:

    2020:08:03-16:48:10 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" time="5189" url="/payment/" server="payment.ourdomain.com" port="443" query="?transaction=12BldOAW6ahd43lfKswziZrXXXXXXXXXXXXXXXXX&lang=fr_FR" referer="www.ourcustomer.fr/.../ cookie="-" set-cookie="PHPSESSID=st6tnfcsq9j6jqb2dpr72etsv5; path=/; domain=payment.ourdomain.com; secure; HttpOnly, ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node1; path=/; httponly; secure" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XygjqmmthQ3Q7CWYvyUDxwAAAU8"
    ...
    2020:08:03-16:51:15 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="14" user="-" host="17.28.x.x" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="49676" url="/favicon.ico" server="payment.ourdomain.com" port="443" query="" referer="payment.ourdomain.com/.../ cookie="PHPSESSID=st6tnfcsq9j6jqb2dpr72etsv5; ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node1; __cfduid=d4e77b66272078e2512821e98140851a01596466092; _ga=GA1.2.1809436613.1596466157; _gid=GA1.2.51278862.1596466157" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XygkYwuS44FLy5unoyxKwQAAAa0"
    2020:08:03-16:51:33 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="-" statuscode="408" reason="-" extra="-" exceptions="-" time="3" url="-" server="-" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="-"
    2020:08:03-16:51:53 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="POST" statuscode="302" reason="-" extra="-" exceptions="-" time="1927255" url="/payment/ext-cmplt/" server="payment.ourdomain.com" port="443" query="?type=directmerchantdeposit&mspid=38XXXXXXXXXXXX" referer="sg-3ds.wlp-acs.com/.../paRequestFromAuthPages" cookie="-" set-cookie="PHPSESSID=3poqtt7bvktg5pjd9m94q9fpk2; path=/; domain=payment.ourdomain.com; secure; HttpOnly, ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node2; path=/; httponly; secure" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Xygkh-6d5VZZUwGx3xxAIQAAADw"
    2020:08:03-16:51:53 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" time="4141" url="/payment/ext-cmplt/" server="payment.ourdomain.com" port="443" query="?type=directmerchantdeposit&mspid=38XXXXXXXXXXXX" referer="sg-3ds.wlp-acs.com/.../paRequestFromAuthPages" cookie="__cfduid=d4e77b66272078e2512821e98140851a01596466092; _ga=GA1.2.1809436613.1596466157; _gid=GA1.2.51278862.1596466157; PHPSESSID=3poqtt7bvktg5pjd9m94q9fpk2; ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node2" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Xygkif6d5VZZUwGx3xxANAAAADw"

    Regards,

     

    Marcel

     

    P.S. Do not forget that any changes in 'webserver protection' done in the GUI will revert these changes, as will an HA-switch-over!

  • Hello Emmosophos,

     

    We are having the same issue. Apparently Chrome changed something a few weeks ago. You can read about that change here.

    https://www.chromestatus.com/feature/5088147346030592

    I guess we need to be able to change that SameSite attribute of the cookie the UTM sends for the routeid.

    I hope you can help.

  • Hello M.D

    Thank you for the follow-up and the workaround.

    I will ask the Senior Engineer about this, now that you have provided the example to see if we can bring up as a question to DEV for them to tell what would be the path to follow.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello M.D,

    The Senior Engineer is asking if you could provide the Config file before the sed command and after the sed command.

    Please send this via PM.

    And also do you have multiple real servers for the virtual server or is it just one and one?

     

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello Martijn,

    Thank you for contacting the Sophos Community and the Link.

    If you haven't done the work around provided above your post, please do it for now, also if possible please send us the config file before and after the change. 

    And also do you have multiple real servers for the virtual server or is it just one and one?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • redacted modified /var/storage/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf:

    KeepAlive On
    ServerName utm-01.ourcompany.com
    ServerAdmin sysadmin@ourcompany.com
    SSLProtocol -all +TLSv1.1 +TLSv1.2
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS
    RemoteIPProxyProtocol Off
    Listen 165.59.129.20:443 https
    Listen 165.59.129.20:80 http
    <VirtualHost 165.59.129.20:443>
    ServerName ourcompany.com
    ServerAlias 165.59.129.20
    SSLProxyEngine On
    SSLEngine On
    SSLCertificateFile /usr/apache/conf/ssl/REF_CaHosOur2020010.pem
    SSLCACertificatePath /usr/apache/conf/cacerts/
    SSLCertificateKeyFile /usr/apache/conf/ssl/REF_CaHosOur2020010.key
    ProxyPreserveHost On
    SecRuleEngine Off
    RequestHeader set X-Forwarded-Proto https
    DocumentRoot /var/www/REF_RevFroOurpay12922
    SetEnv proxy-initial-not-pooled
    <Proxy balancer://258030ef20bcfe4db4a6d742388e7563>
    BalancerMember http://192.168.6.22 status=-SE timeout=300 route=node1
    BalancerMember http://192.168.6.33 status=-SE timeout=300 route=node2
    ProxySet stickysession=ROUTEID.258030ef20bcfe4db4a6d742388e7563
    </Proxy>
    <Location "/">
    SetEnv proxy-aside-c
    Header add Set-Cookie "ROUTEID.258030ef20bcfe4db4a6d742388e7563=.%{BALANCER_WORKER_ROUTE}e; path=/; httponly; secure; SameSite=None" env=BALANCER_ROUTE_CHANGED
    ProxyPass "balancer://258030ef20bcfe4db4a6d742388e7563/" lbmethod=bybusyness
    ProxyPassReverse "http://192.168.6.22:80/"
    ProxyPassReverse "http://192.168.6.22/"
    ProxyPassReverse "http://192.168.6.33:80/"
    ProxyPassReverse "http://192.168.6.33/"
    ProxyPassReverse "http://*.ourcompany.com/"
    ProxyPassReverse "http://ourcompany.com/"
    ProxyPassReverse "http://165.59.129.20/"
    SetOutputFilter DEFLATE
    <RequireAll>
    Require all granted
    </RequireAll>
    </Location>
    </VirtualHost>
    <VirtualHost 165.59.129.20:80>
    ServerName REF_RevFroOurpay12922_redirect_ssl
    ServerAlias *.ourcompany.com
    ServerAlias ourcompany.com
    ServerAlias 165.59.129.20
    <Location />
    Require all granted
    RedirectSSL permanent / 443
    </Location>
    </Virtualhost>
    <VirtualHost 165.59.129.20:443>
    ServerName REF_RevFroOurpay12922
    ServerAlias *.ourcompany.com
    UseCanonicalName Off
    SSLProxyEngine On
    SSLEngine On
    SSLCertificateFile /usr/apache/conf/ssl/REF_CaHosOur2020010.pem
    SSLCACertificatePath /usr/apache/conf/cacerts/
    SSLCertificateKeyFile /usr/apache/conf/ssl/REF_CaHosOur2020010.key
    ProxyPreserveHost On
    SecRuleEngine Off
    RequestHeader set X-Forwarded-Proto https
    DocumentRoot /var/www/REF_RevFroOurpay12922
    SetEnv proxy-initial-not-pooled
    <Proxy balancer://258030ef20bcfe4db4a6d742388e7563>
    BalancerMember http://192.168.6.22 status=-SE timeout=300 route=node1
    BalancerMember http://192.168.6.33 status=-SE timeout=300 route=node2
    ProxySet stickysession=ROUTEID.258030ef20bcfe4db4a6d742388e7563
    </Proxy>
    <Location "/">
    SetEnv proxy-aside-c
    Header add Set-Cookie "ROUTEID.258030ef20bcfe4db4a6d742388e7563=.%{BALANCER_WORKER_ROUTE}e; path=/; httponly; secure; SameSite=None" env=BALANCER_ROUTE_CHANGED
    ProxyPass "balancer://258030ef20bcfe4db4a6d742388e7563/" lbmethod=bybusyness
    ProxyPassReverse "http://192.168.6.22:80/"
    ProxyPassReverse "http://192.168.6.22/"
    ProxyPassReverse "http://192.168.6.33:80/"
    ProxyPassReverse "http://192.168.6.33/"
    ProxyPassReverse "http://*.ourcompany.com/"
    ProxyPassReverse "http://ourcompany.com/"
    ProxyPassReverse "http://165.59.129.20/"
    SetOutputFilter DEFLATE
    <RequireAll>
    Require all granted
    </RequireAll>
    </Location>
    </VirtualHost>
    <VirtualHost 165.59.129.20:80>
    ServerName REF_RevFroOurpay12922_redirect_ssl
    ServerAlias *.ourcompany.com
    ServerAlias ourcompany.com
    ServerAlias 165.59.129.20
    <Location />
    Require all granted
    RedirectSSL permanent / 443
    </Location>
    </Virtualhost>

     

    redacted original /var/storage/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf.old:

    KeepAlive On
    ServerName utm-01.ourcompany.com
    ServerAdmin sysadmin@ourcompany.com
    SSLProtocol -all +TLSv1.1 +TLSv1.2
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS
    RemoteIPProxyProtocol Off
    Listen 165.59.129.20:443 https
    Listen 165.59.129.20:80 http
    <VirtualHost 165.59.129.20:443>
    ServerName ourcompany.com
    ServerAlias 165.59.129.20
    SSLProxyEngine On
    SSLEngine On
    SSLCertificateFile /usr/apache/conf/ssl/REF_CaHosOur2020010.pem
    SSLCACertificatePath /usr/apache/conf/cacerts/
    SSLCertificateKeyFile /usr/apache/conf/ssl/REF_CaHosOur2020010.key
    ProxyPreserveHost On
    SecRuleEngine Off
    RequestHeader set X-Forwarded-Proto https
    DocumentRoot /var/www/REF_RevFroOurpay12922
    SetEnv proxy-initial-not-pooled
    <Proxy balancer://258030ef20bcfe4db4a6d742388e7563>
    BalancerMember http://192.168.6.22 status=-SE timeout=300 route=node1
    BalancerMember http://192.168.6.33 status=-SE timeout=300 route=node2
    ProxySet stickysession=ROUTEID.258030ef20bcfe4db4a6d742388e7563
    </Proxy>
    <Location "/">
    SetEnv proxy-aside-c
    Header add Set-Cookie "ROUTEID.258030ef20bcfe4db4a6d742388e7563=.%{BALANCER_WORKER_ROUTE}e; path=/; httponly; secure" env=BALANCER_ROUTE_CHANGED
    ProxyPass "balancer://258030ef20bcfe4db4a6d742388e7563/" lbmethod=bybusyness
    ProxyPassReverse "http://192.168.6.22:80/"
    ProxyPassReverse "http://192.168.6.22/"
    ProxyPassReverse "http://192.168.6.33:80/"
    ProxyPassReverse "http://192.168.6.33/"
    ProxyPassReverse "http://*.ourcompany.com/"
    ProxyPassReverse "http://ourcompany.com/"
    ProxyPassReverse "http://165.59.129.20/"
    SetOutputFilter DEFLATE
    <RequireAll>
    Require all granted
    </RequireAll>
    </Location>
    </VirtualHost>
    <VirtualHost 165.59.129.20:80>
    ServerName REF_RevFroOurpay12922_redirect_ssl
    ServerAlias *.ourcompany.com
    ServerAlias ourcompany.com
    ServerAlias 165.59.129.20
    <Location />
    Require all granted
    RedirectSSL permanent / 443
    </Location>
    </Virtualhost>
    <VirtualHost 165.59.129.20:443>
    ServerName REF_RevFroOurpay12922
    ServerAlias *.ourcompany.com
    UseCanonicalName Off
    SSLProxyEngine On
    SSLEngine On
    SSLCertificateFile /usr/apache/conf/ssl/REF_CaHosOur2020010.pem
    SSLCACertificatePath /usr/apache/conf/cacerts/
    SSLCertificateKeyFile /usr/apache/conf/ssl/REF_CaHosOur2020010.key
    ProxyPreserveHost On
    SecRuleEngine Off
    RequestHeader set X-Forwarded-Proto https
    DocumentRoot /var/www/REF_RevFroOurpay12922
    SetEnv proxy-initial-not-pooled
    <Proxy balancer://258030ef20bcfe4db4a6d742388e7563>
    BalancerMember http://192.168.6.22 status=-SE timeout=300 route=node1
    BalancerMember http://192.168.6.33 status=-SE timeout=300 route=node2
    ProxySet stickysession=ROUTEID.258030ef20bcfe4db4a6d742388e7563
    </Proxy>
    <Location "/">
    SetEnv proxy-aside-c
    Header add Set-Cookie "ROUTEID.258030ef20bcfe4db4a6d742388e7563=.%{BALANCER_WORKER_ROUTE}e; path=/; httponly; secure" env=BALANCER_ROUTE_CHANGED
    ProxyPass "balancer://258030ef20bcfe4db4a6d742388e7563/" lbmethod=bybusyness
    ProxyPassReverse "http://192.168.6.22:80/"
    ProxyPassReverse "http://192.168.6.22/"
    ProxyPassReverse "http://192.168.6.33:80/"
    ProxyPassReverse "http://192.168.6.33/"
    ProxyPassReverse "http://*.ourcompany.com/"
    ProxyPassReverse "http://ourcompany.com/"
    ProxyPassReverse "http://165.59.129.20/"
    SetOutputFilter DEFLATE
    <RequireAll>
    Require all granted
    </RequireAll>
    </Location>
    </VirtualHost>
    <VirtualHost 165.59.129.20:80>
    ServerName REF_RevFroOurpay12922_redirect_ssl
    ServerAlias *.ourcompany.com
    ServerAlias ourcompany.com
    ServerAlias 165.59.129.20
    <Location />
    Require all granted
    RedirectSSL permanent / 443
    </Location>
    </Virtualhost>
  • Thank you for the reply.

     

    I will do the workaround later today.

    We have one virtual server, pointing to 3 real servers.

  • Hello M.D

    Thank you for the follow-up and the files.

    I will check with the Senior Engineer. I will update you once I hear back from him. 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.