Configure FortiWeb Internal Cookies Attributes
Preface
One of the most used feature of FortiWeb I uses is to add additional cookie attributes to web applications behind the FortiWeb, such as the secure, httpOnly, and sameSite attribute to Set-Cookie headers.
After you configure them via Cookie Security, you’ll realize that the FortiWeb device itself added their own cookie to track sessions, and that internal cookie, to my confusion, is not affected by the Cookie Security configuration, like in the following image:
To add the needed attributes to the FortiWeb internal cookies, we need to configure addtional configurations via CLI.
Procedure
Access the CLI via the Web UI or SSH, and then add the following configuration:
config server-policy policy
edit <POLICY_NAME>
set internal-cookie-http-only enable
set internal-cookie-samesite enable
set internal-cookie-samesite-value lax
set internal-cookie-secure enable
next
end
Conclusion
You can recheck the response header again via curl. This time, you’ll see that the internal FortiWeb session cookie is now also have our configured attribute.
