Protecting against cookie poisoning and other cookie-based attacks

A cookie security policy allows you to configure FortiWeb features that prevent cookie-based attacks and apply them in a protection profile. For example, a policy can enable cookie poisoning detection, encrypt the cookies issued by a back-end server, and add security attributes to cookies.

When you first introduce some of the cookie security features, cookies that client browsers have cached earlier can generate false positives. To avoid this problem, use the Allow Suspicious Cookies setting to either take no action against violations of the cookie security features or delay taking action until a specific date.
To configure cookie security

1.  Go to Web Protection > Cookie Security.

2.  Click Create New and complete the following settings:

Setting name Description
Name Enter a name that identifies the policy when you select it in a protection profile.
Security Mode
  • NoneFortiWeb does not apply cookie tampering protection or encrypt cookie values.
  • Signed — Prevents tampering (cookie poisoning) by tracking the cookie value. This option requires you to enable Session Management in the protection policy and the client to support cookies.

    When FortiWeb receives the first HTTP or HTTPS request from a client, it uses a cookie to track the session. When you select this option, the session-tracking cookie includes a hash value that FortiWeb uses to detect tampering with the cookie from the back-end server response. If FortiWeb determines the cookie from the client has changed, it takes the specified action.
  • Encrypted — Encrypts cookie values the back-end web server sends to clients. Clients see only encrypted cookies. FortiWeb decrypts cookies submitted by clients before it sends them to the back-end server. No back-end server configuration changes are required.
Cookie Replay

Optionally, select whether FortiWeb uses the IP address of a request to determine the owner of the cookie.

Note: This is available only when Security Mode is configured as Encrypted.

To disable this feature, do not select an option. By default, no option is selected.

Because the public IP of a client is not static in many environments, Fortinet recommends that you do not enable Cookie Replay.

In some environments (for example, if FortiWeb is deployed behind a NAT load balancer), an X-header configuration is required to provide the original client’s IP. See Defining your proxies, clients, & X-headers.

Allow Suspicious Cookies

Select whether FortiWeb allows requests that contain cookies that it does not recognize or that are missing cookies.

  • When Security Mode is Encrypted, suspicious cookies are cookies for which FortiWeb does not have a corresponding encrypted cookie value.
  • When Cookie Replay is IP, the suspicious cookie is a missing cookie that tracks the client IP address.

In many cases, when you first introduce the cookie security features, cookies that client browsers have cached earlier generate false positives. To avoid this problem, either select Never, or select Custom and enter an appropriate date on which to start taking the specified action against suspicious cookies.

  • NeverFortiWeb does not take the action specified by Action against suspicious cookies.
  • AlwaysFortiWeb always takes the specified action against suspicious cookies.
  • CustomFortiWeb takes the specified action against suspicious cookies starting on the date specified by Don't Block Until.

This feature is not available if Security Mode is Signed or None.

  Don't Block Until If Allow Suspicious Cookies is Custom, enter the date on which FortiWeb starts to take the specified action against suspicious cookies.
Cookie Security Attributes  
  Cookie Max Age Enter the maximum age (in minutes) permitted for cookies that do not have an “Expires” or “Max-Age” attribute.

To configure no expiry age for cookies, enter 0.
  Secure Cookie Enable to add the secure flag to cookies, which forces browsers to return the cookie only when the request is for an HTTPS page.
  HTTP Only

Enable to add the "HTTP Only" flag to cookies, which prevents client-side scripts from accessing the cookie.

Warning: enabling this feature may break web applications that use cookies.


For cookie security features that trigger an action, select the action that FortiWeb takes:

  • Alert — Accept the request and generate an alert email, log message, or both.
  • Alert & Deny — Block the request and generate an alert, log message, or both.
  • Remove Cookie — Accept the request, but remove the cookie from the datagram before it reaches the web server, and generate an alert message, log message, or both.
  • Period Block — Block requests for the number of seconds specified by Block Period. See also Monitoring currently blocked IPs.
    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see Defining your proxies, clients, & X-headers). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.
  Block Period When Action is Period Block, the number of seconds that FortiWeb blocks requests that have violated cookie security features.
  Severity Select the severity level FortiWeb uses when it logs a violation of a cookie security feature.
  Trigger Policy Select the trigger policy FortiWeb uses when it logs a violation of a cookie security feature.

3.  Click OK.

4.  If you want to specify cookies that are exempt from the cookie security policy, under the Cookie Exceptions Table, click Create New and complete the following settings:


Setting name Description
Cookie Name Enter the name of the cookie, such as NID.
Cookie Domain

Optionally, enter the partial or complete domain name or IP address as it appears in the cookie. For example:

If clients sometimes access the back-end server via IP address instead of DNS, create exemption items for both.

Cookie Path Optionally, enter the path as it appears in the cookie, such as / or /blog/folder.

6.  To apply the cookie security policy, select it in an inline protection profile (see Configuring a protection profile for inline topologies).

If Security Mode is Signed, ensure that Session Management is enabled for the profile.