Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Kush_Patel
Staff
Staff

Created on ‎09-27-2023 09:38 PM

Article Id 276353

Troubleshooting Tip: Troubleshooting issues with Session Cookie (Authentication Related) Not Containing The 'secure' Attribute

Description

This article describes that FortiWeb, Fortinet's Web Application Firewall (WAF) solution, offers robust security features to protect web applications. Two important CLI commands, 'set secure-cookie' and 'set internal-cookie-secure,' are used to control the security attributes of cookies generated and managed by FortiWeb.

 

The 'set secure-cookie' and 'set internal-cookie-secure' commands in FortiWeb allow to enhance the security of cookies generated and managed by the WAF. Enabling the Secure attribute ensures that cookies are transmitted only over secure (HTTPS) connections, adding an extra layer of protection to your web applications.

 

While 'set secure-cookie' applies globally at the WAF level, 'set internal-cookie-secure' allows to set this attribute on a per-policy basis, giving fine-grained control over web application security.
Scope FortiWeb.
Solution

The 'set secure-cookie' command is used to enable the Secure attribute for cookies generated by FortiWeb.

The Secure attribute is a flag that enhances the security of cookies by ensuring they are only sent over secure (HTTPS) connections. When this attribute is enabled, the browser will transmit the cookie only over HTTPS, helping prevent sensitive information from being exposed over unencrypted channels.

 

Follow this document to enable the Secure attribute for cookies using the 'set secure-cookie' command:

waf cookie-security

 

In this configuration, the 'set secure-cookie enable' command ensures that cookies generated by FortiWeb will have the Secure attribute enabled when associated with a WAF policy.

 

The 'set internal-cookie-secure' command is used to explicitly set the Secure attribute for cookies within a specific server policy in FortiWeb. This command allows to control of the security attributes of cookies on a per-policy basis. It is particularly useful  to ensure that cookies for specific applications are transmitted only over HTTPS.

 

Here's a sample configuration to enable the Secure attribute for cookies within a server policy using the 'set internal-cookie-secure' command:

 

config server-policy policy
    edit "<policy_name>"
        set internal-cookie-secure enable
    next
end

 

In this configuration, the 'set internal-cookie-secure enable' command ensures that cookies associated with the specified server policy will have the Secure attribute enabled. This helps enforce secure cookie transmission for specific applications.

 

Labels:
1252
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.