Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff
Staff

Created on ‎06-09-2025 09:33 AM

Article Id 395269

Technical Tip: FortiGate SSL VPN sets cookies with the 'expires' attribute (known behavior)

Description This article describes a known behavior where the FortiGate SSL VPN will set/grant HTTP cookies that have the 'expires' attribute applied as part of the login/logout process. Administrators may see this flagged while performing security scans of the SSL VPN, so this article will discuss this expected behavior in further depth.
Scope FortiGate, SSL VPN.
Solution

When performing security scans against the FortiGate SSL VPN, administrators may see a warning message similar to the following:

 

Description: The remote web application sets various cookies throughout a users unauthenticated and authenticated session, however, one or more of the cookies have an expires attribute that is set with a past date or time, meaning these cookies will be removed by the browser.

Recommendation: If needed, set an expiration date in the future so the cookie will persist or remove the expires cookie attribute altogether to convert the cookie to a session cookie.

Output: The following cookies are expired:
Name: SVPNNETWORKCOOKIE
Path: /remote/network
Value:
Domain:
Version: 1
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Comment:
Secure:1
Httponly: 1
Port:

 

This is expected behavior for the FortiGate SSL VPN, and the description from the warning is correct: if a web browser has a cookie with the 'expires' attribute set, and if that expiration date is past the current local time, then the browser is expected to flush/remove the cookie from local storage. For more information, refer to the following HTTP documentation from Mozilla: Set-Cookie - Expires Attribute.

 

The FortiGate SSL VPN utilizes this expected behavior as means of prompting the browser to flush any pre-existing cookies if the user is not already logged into an SSL-VPN session. This security decision ensures that cookies from previous sessions cannot be used for creating new sessions, and that the user must login properly using their credentials.

 

For reference, the following cookies are used by the FortiGate as part of the SSL VPN authentication process:

 

  • SVPNCOOKIE
  • SVPNNETWORKCOOKIE
  • SVPNTMPCOOKIE

 

As an example, during initial login to the SSL VPN web-mode portal (now called Agentless VPN in FortiOS 7.6), the FortiGate will use the Set-Cookie HTTP header to send expired versions of SVPNCOOKIE, SVPNNETWORKCOOKIE, and SVPNTMPCOOKIE. The browser will clear these existing cookies out if they are somehow present (usually they are flushed if the browser is closed or if the user explicitly logs out of the SSL VPN).

 

Once the user has completed the SSL VPN login process, a fresh SVPNCOOKIE will be generated and granted by the FortiGate to the web browser. This cookie does not have the 'expires' attribute set and is used as the session cookie while the user is connected to the SSL VPN (just as the earlier recommendation suggests).

 

Finally, when the user is logging out the FortiGate will reissue the cookies with the 'expires' attribute set, which prompts the browser to clear them in local cache.

 

All in all, the FortiGate SSL VPN is correctly following the conventions recommended by the above warning message, and so it is safe to ignore this warning.

 

Related articles:
Labels:
183
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.