We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Why do I see all these cookie tampering attacks when I first deploy my Barracuda Web Application Firewall?

  • Type: Knowledgebase
  • Date changed: 11 months ago
Solution #00003565

Scope:
All Barracuda Web Application Firewalls, firmware versions 7.0.4.132 and above.

Answer:
The Barracuda Web Applicatin Firewall's default security policy is to sign all outgoing cookies. This means that whenever the Web Server sets a cookie on a client's web browser, the Barracuda Web Application Firewall will add a digital signature to that cookie. This allows the Barracuda Web Application Firewall to determine whether the cookie has been changed when the client accesses the Web Server again.

When the Web Application Firewall is deployed in front of your production Web Server, all new cookies that are sent out by the web application are signed. But, initially, there may be lots of clients who already have the cookies cached in their browsers. When the Barracuda Web Application Firewall sees preexisting, non-signed cookies, it will interpret them as having been altered (because they were created before the Barracuda could sign them) and will display Cookie Tampered message on the Basic > Web Firewall Logs page.

These log entries will gradually stop appearing as the old cookies expire and the web application sends new cookies, which will then be appropriately signed by the Barracuda Web Application Firewall.

Link to This Page:
https://campus.barracuda.com/solution/50160000000HKm9AAG