Securing the ARRAffinity Cookie

  • Article

Usually when we talk about COOKIES the primary reason would be to manage state, handle logins etc. So, it would be a quintessential property to keep it safe and to prevent any breach of security. Just like how we have a safe version of HTTP by encrypting over SSL, we can do the same for a cookie through the SECURE tag.

When we think of using the ARR module in IIS for load balancing and enable server affinity , an additional tag(cookie) called ARR affinity will be assigned by the ARR to the first request of a new user session so that till all subsequent requests are served, the client talks to the same back-end server until the session gets expired. This “technique” is aptly called as the Cookie Insertion Method where the ARR acts like a proxy between the client and the server to intercept the requests so that it will attach/stick the session to a specific server addressed by the RESPONSE_SERVER_NAME.

While troubleshooting on an issue, I came across a vulnerability in which the penetration test read “Missing Secure Attribute In SSL Session Cookie” that basically means that we need to plug the RESPONSE_SET_COOKIE with a “secure” tag.

Out of the different Fields that we can modify in the RESPONSE, our primary concern here would be to change the outgoing content (cookie) from the server back to the client but with the ARRAffinity set to secure.

After pondering over the many options we have in IIS, a very feasible option would be to use the URL REWRITE Module in IIS to Modify the Response Section through an Outbound Rule. This would need you to add a simple rule (mentioned below) in the outbound section.

 <rewrite>

 <allowedServerVariables>

    <add name="REMOTE_USER" />

    </allowedServerVariables>

    <globalRules>

           <rule name="ADD YOUR RULE NAME" enabled="true" patternSyntax="Wildcard" stopProcessing="true">

           <match url="*" />

           <action type="Rewrite" url="https://SERVERFARMNAME/{R:0}" />

           </rule>

      </globalRules>

           <outboundRules>

           <rule name=”ADD YOUR RULE NAME">

           <match serverVariable="RESPONSE_Set_Cookie" pattern="ARRAffinity=(.*)" />

           <action type="Rewrite" value=" {R:0};secure" />

           </rule>

           </outboundRules>

</rewrite>