The proxy session cookies store authentication information and other information in temporary memory that is transferred between the browser and the proxy. These cookies are deleted when the browser is closed. However if these cookies are sent through a non-secure channel, hackers might intercept the cookies and impersonate a user on websites. To stop this, you can use the following configuration options:
You can configure Access Gateway to force the HTTP services to have the authentication cookie set with the keyword secure.
To enable this option, perform the following steps:
Click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.
Select Enable Secure Cookies, then click OK twice.
Update Access Gateway.
This option is used to secure the cookie when Access Gateway is placed behind an SSL accelerator, such as the Cisco SSL accelerator, and Access Gateway is configured to communicate by using only HTTP.
Cross-site scripting vulnerabilities in web browsers allow malicious sites to grab cookies from a vulnerable site. The goal of such attacks might be to perform session fixation or to impersonate a valid user. You can configure Access Gateway to set its authentication cookie with the HttpOnly keyword to prevent scripts from accessing the cookie.
To enable this option, perform the following steps:
Click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.
Select Force HTTP-Only Cookies, then click OK > OK.
Update Access Gateway.