Section – Application Cookies

Application Cookies

How the cookie store works

In session-based communication, cookies that are sent from back-end hosts will by default be extracted from the HTTP responses and stored in the secure cookie store of Airlock Gateway. They will never show up at the client-side of the Gateway and Airlock Gateway will re-insert the cookies into the HTTP requests on behalf of the web client.

This way, cookies can safely be used to share data between back-end applications, e.g. for SSO scenarios.

There is a limit on how many cookies there can be stored. The limit is at 32kb per session, which hopefully is enough to accommodate most needs. Otherwise, the size can be changed on the expert settings page for the security gate (see default settings file).

In session-less communication, obviously the secure cookie store cannot be used. Instead, cookies will be encrypted such that cookie manipulation is impossible even though the cookies are transferred to the web client.

If there are cookies that should not be retained nor encrypted by Airlock Gateway, you can specify prefixes as explained below.

Interpret cookie domain in cookie store

This checkbox defines whether Airlock Gateway interprets the domain and the path attribute of cookies that are stored in the cookie store.

If enabled, Airlock Gateway will send the cookies in the cookie store to back-end hosts as follows:

  • If there is no domain attribute, the cookie will only be sent to the origin server that set the cookie.
  • If the domain attribute was specified, the cookie will be sent to the back-end server who's domain matches the cookie domain.
  • If the domain and the path attribute were specified, the cookie will be sent to the back-end server who's domain and path matches the corresponding cookie values.
  • If only the path attribute was specified, the cookie will only be sent to its origin server when the cookie path is a prefix of the requests path.

So far the behavior is similar to a web browser. But additionally, Airlock Gateway provides two useful enhancements:

  • If the cookie domain is set to ".*", the cookie will be sent to all back-end servers. This is very useful to have certain cookies such as authentication assertion cookies sent to all back-end servers while other cookies still profit from domain interpretation.
  • A cookie domain set to "@<fully-qualified-host>" with a given fully qualified host name following the "@" will be interpreted as if it were issued by the specified host. This can be used to issue session cookies on behalf of other back-end hosts, e.g. to perform a form based on-behalf login.

Please note that you must use fully qualified hostnames for the back end hosts in the mapping configuration if you want to take full advantage of cookie domain interpretation.

If the checkbox is disabled, Airlock Gateway will always append all cookies that are in the cookie store to any HTTP request. Also note that Airlock Gateway will not store two cookies with the same name in the cookie store. The last cookie set for a name will win.

Passphrase for passphrase-based encryption (PBE passphrase)

Specifies the passphrase for the pass-phrase-based encryption mechanism. A binary key is derived from the entered passphrase using cryptographically secure message digest functions. All pass- phrase-based encrypted cookies can be decrypted and verified as long as the same passphrase is used. This makes them independent of any application session. The same passphrase is also used for URL encryption in mappings where option 'PBE' is selected.