Difference between revisions of "Cookie filter"

From Secure Web Gateway
Tag: Reverted
 
(8 intermediate revisions by the same user not shown)
Line 34: Line 34:
| style="width: 924px" |  
| style="width: 924px" |  
== Global ==
== Global ==
[[File:Cooie-global.jpg|center|Cooie-global.jpg|link=]]


| style="width: 340px" |  
|-
| style="width: 924px" |
=== Enabled ===
=== Enabled ===


Line 45: Line 41:
*'''TRUE :''' Enable cookie filtering section.  
*'''TRUE :''' Enable cookie filtering section.  
*'''FALSE :''' Disable cookie filtering section.  
*'''FALSE :''' Disable cookie filtering section.  
 
[[File:Cooie-global.jpg|center|Cooie-global.jpg|link=]]
 
| style="width: 340px" |  
|-
| style="width: 924px" |
=== Policy ===
=== Policy ===


Line 164: Line 165:
| style="width: 340px" |  
| style="width: 340px" |  
|}
|}
=== Example ===
'''Rule#1'''
I want to allow cookie filtering for connections with profile “COOKIE ALLOW”.
Users who require access to log in webpages and personal account need cookie access.
We can use cookie -> Allow sub section to allow Cookies
[[File:Slide1-cookieAllow.png|left]]
'''Rule#2'''
I want to allow cookie for domain safesquid.com
Despite the deny rule, connections to domain safesquid.com will not drop cookie
This can be used in a situation where login is required for mission critical application.
[[File:Slide2-cookieAllow.png|left]]


== Deny ==
== Deny ==
Line 272: Line 289:


[[Category:Configuration]]
[[Category:Configuration]]
=== Example ===
'''Rule#1'''
Default rule for dropping cookies used by SafeSquid.
Connections with profile "READ ONLY" will ensure users are unable to login.
Cookie sent in both directions are dropped.
[[File:Slide1-cookieDrop.png|left]]
'''Rule#2'''
Connections with profile “DROP COOKIES FOR GOOGLE” will drop all cookies for domain google.com.
Cookies will be dropped for both incoming and outgoing requests.
[[File:Slide2-cookieDrop.png|left]]

Latest revision as of 13:48, 5 January 2023

Overview

Cookie Filter allows you to choose which hosts(websites), the browsers are allowed to send and receive the cookies.

An HTTP cookie (also called web cookie, Internet cookie, browser cookie or simply cookie) is a small piece of data sent from a website and stored in the user's web browser while the user is browsing.

You can control the cookie exchange precisely, between remote websites and users.

You can manage the user privacy (Username & Preferences).

You can also disable the users from logging into their personal accounts.

Example : You can block cookies from advertising websites like tribalfusion.com and doubleclick.net to prevent private information from being transferred to them.

And users able to query the search engines (google, yahoo) but they are not able to login to their personal accounts (Gmail, shopping websites, trading websites).

Enabling Cookie filter section on SafeSquid User Interface

Access SafeSquid interface

Go to configure page

AllowsitescategorySlide1 (2).PNG
 
   

Global

Enabled

Enable or Disable cookie filtering section.

  • TRUE : Enable cookie filtering section.
  • FALSE : Disable cookie filtering section.
Cooie-global.jpg
 

Policy

Select the default action to take, when no matching entry for a requested cookie is found.

  • ALLOW : When Policy is set to Allow, a requested cookie is allowed, when no matching entry is found.
  • DENY : When Policy is set to Deny, a requested cookie is denied, if no matching entry is found.
 

Allow

Cookie-allow.jpg

When the Policy is Deny, rules defined under this sub-section, are exclusively allowed access.

Here you can add a new allow entry, that would explicitly result in acceptance or allowance of cookie transfer to all or specific set of conditions.

This effectively allows you set a variety of intelligently and creatively defined Cookie Transfer whitelist(s).

Enabled

Enable or Disable this entry

  • TRUE : Enable this entry.
  • FALSE : Disable this entry.

Comment

For documentation, and future references, explainthe relevance of this entry with your policies.

Profiles

Specify the Profiles applicable for this entry.

This entry will be applicable only if the connection has any one of the specified profiles.

Leave it Blank, to apply for all connections irrespective of any applied profile.

To avoid application to a connection that has a profile, use negated profile (!profile).

Expiry year range

Mention the cookie expiry year range this entry applies to.

The cookie from a particular host (website), will be expired after this range.

Example : 2016-2017, here cookie will expires after year 2017.

Expiry month range

Select cookie expiry month range this entry applies to.

The cookie from a particular host (website), will be expired after this range.

Example : January – March, here cookie expires after March.

Expiry day range

The cookie expiry day range this entry applies to.

The cookie from a particular host (website), will be expired after this range.

Example : 1-20, here cookie will expire after 20th day.

Expiry weekday range

The cookie expiry weekday ranges this entry applies to.

The cookie from a particular host (website), will be expired after this range.

Example : Monday – Friday, here cookie will expire after Friday.

Expiry hour range

The cookie expiry hour ranges this entry applies to.

The cookie from a particular host (website), will be expired after this range.

Example : 1-10, Here cookie will expire after 10 AM.

Expiry minute range

The cookie expiry minute range this entry applies to.

The cookie from a particular host (website), will be expired after this range.

Example : 15-30, Here cookie will expire after 10:30 AM.

In the above example, Hours are included from Hour range.

Domain

Here you can mention the domain (website) names by separating with pipe (|) which you want to allow or deny. You can use regular expression to match the domains.

Example : safesquid.com|google.com.

Path

A regular expression matching the cookie's path attribute.

Direction

The direction of the cookie this entry applies to; can be either in (Set-cookie sent by website), out (Cookie sent by browser), or both.

  • IN : For Inbound Connections only. That is only for the cookies sent by the hosts(websites).
  • OUT : For Outbound Connections only. That is only for the cookies sent by the browser.
  • BOTH : For Both Inbound and Outbound connections. For cookies sent by the websites as well as cookies sent by the browser.

Time match mode

Select the appropriate mode to match the multiple time ranges.

  • ABSOLUTETIME :
    When the absolute time match mode is used, any time between the starting and ending time will be match.
    Example: Weekday range specified is Monday to Friday and Hour Range is 9 to 17. 
    The Absolute match mode will match any time starting Monday, 9 AM and ending Friday, 17 PM.
    So it will be active from Monday 9 AM to Friday 5 PM.
  • ALLRANGES :
    With the all ranges time match mode howver, a time within all of the ranges will match.
    Example: Weekday range specified is Monday to Friday and Hour Range is 9 to 17.
    All ranges will match any time between 9 AM to 17 PM, on all weekdays from Monday to Friday.
    So it will be active every day from Monday to Friday between 9 AM to 5 PM.
     
 

Example

Rule#1

I want to allow cookie filtering for connections with profile “COOKIE ALLOW”. Users who require access to log in webpages and personal account need cookie access. We can use cookie -> Allow sub section to allow Cookies

Slide1-cookieAllow.png

Rule#2

I want to allow cookie for domain safesquid.com Despite the deny rule, connections to domain safesquid.com will not drop cookie This can be used in a situation where login is required for mission critical application.

Slide2-cookieAllow.png

Deny

When the Policy is Allow, rules defined under this sub-section, are exclusively denied access.

Here, you can add rules under Deny that would explicitly result in blocking or denial of cookie transfer to all or specific set of conditions.

This effectively allows you to set a variety of intelligently and creatively defined Cookie Transfer Blacklist(s).

Cookie-deny.jpg

Enabled

Enable or Disable this entry

  • TRUE : Enable this entry.
  • FALSE : Disable this entry.

Comment

For documentation, and future references, explainthe relevance of this entry with your policies.

Profiles

Specify the Profiles applicable for this entry.

This entry will be applicable only if the connection has any one of the specified profiles.

Leave it Blank, to apply for all connections irrespective of any applied profile.

To avoid application to a connection that has a profile, use negated profile (! profile).

Expiry year range

Mention the cookie expiry year range this entry applies to

The cookie from a particular host (website), will be expired after this range.

Example : 2016-2017, here cookie will expires after year 2017.

Expiry month range

Select cookie expiry month range this entry applies to.

The cookie from a particular host (website), will be expired after this range.

Example : January – March, here cookie expires after March.

Expiry day range

The cookie expiry day range this entry applies to.

The cookie from a particular host (website), will be expired after this range.

Example : 1-20, here cookie will expire after 20th day.

Expiry weekday range

The cookie expiry weekday ranges this entry applies to.

The cookie from a particular host (website), will be expired after this range.

Example : Monday – Friday, here cookie will expire after Friday.

Expiry hour range

The cookie expiry hour ranges this entry applies to.

The cookie from a particular host (website), will be expired after this range.

Example : 1-10, Here cookie will expire after 10AM.

Expiry minute range

The cookie expiry minute range this entry applies to.

The cookie from a particular host (website), will be expired after this range.

Example : 15-30, Here cookie will expire after 10:30AM.

In the above example, Hours are included from Hour range.

Domain

Here you can mention the domain(website) names by separating with pipe (|) which you want to allow or deny. You can use regular expression to match the domains.

Example : safesquid.com|google.com

Path

A regular expression matching the cookie's path attribute.

Direction

The direction of the cookie this entry applies to; can be either in (Set-cookie sent by website), out (Cookie sent by browser), or both.

  • IN : For Inbound Connections only. That is only for the cookies sent by the hosts(websites).
  • OUT : For Outbound Connections only. That is only for the cookies sent by the browser.
  • BOTH : For Both Inbound and Outbound connections. For cookies sent by the websites as well as cookies sent by the browser.

Time match mode

Select the appropriate mode to match the multiple time ranges.

  • ABSOLUTETIME :
    When the absolute time match mode is used, any time between the starting and ending time will be match.
    Example: Weekday range specified is Monday to Friday and Hour Range is 9 to 17. 
    The Absolute match mode will match any time starting Monday, 9 AM and ending Friday, 17 PM.
    So it will be active from Monday 9 AM to Friday 5 PM.
  • ALLRANGES :
    With the all ranges time match mode howver, a time within all of the ranges will match.
    Example: Weekday range specified is Monday to Friday and Hour Range is 9 to 17.
    All ranges will match any time between 9 AM to 17 PM, on all weekdays from Monday to Friday.
    So it will be active every day from Monday to Friday between 9 AM to 5 PM.


Example

Rule#1

Default rule for dropping cookies used by SafeSquid.

Connections with profile "READ ONLY" will ensure users are unable to login.

Cookie sent in both directions are dropped.

Slide1-cookieDrop.png

Rule#2

Connections with profile “DROP COOKIES FOR GOOGLE” will drop all cookies for domain google.com.

Cookies will be dropped for both incoming and outgoing requests.

Slide2-cookieDrop.png