Cisco Cisco Web Security Appliance S670 Troubleshooting Guide
Websites with short (two−letter) domain names
don't open up when using IE7 and WSA in
transparent mode
don't open up when using IE7 and WSA in
transparent mode
Document ID: 118095
Contributed by Kei Ozaki and Siddharth Rajpathak, Cisco TAC
Engineers.
Engineers.
Jul 29, 2014
Contents
Question:
Question:
Why don't some webpages with short domain names like for example "ya.ru" open when using WSA in
transparent mode with authentication turned on along with 'cookie' surrogates?
transparent mode with authentication turned on along with 'cookie' surrogates?
Environment:
WSA with authentication enabled, cookie being used as surrogate type in either transparent or
forward mode with authentication or credential encryption enabled.
forward mode with authentication or credential encryption enabled.
•
Browsers IE6 or IE7
•
Short (two−letter) domain name of destination. (Examples www.ya.ru, www.cn.ca)
•
Symptoms: IE displays error page when browsing to page. Disabling authentication fixes this.
Note: This Knowledge Base article references software which is not maintained or supported by Cisco. The
information is provided as a courtesy for your convenience. For further assistance, please contact the software
vendor.
information is provided as a courtesy for your convenience. For further assistance, please contact the software
vendor.
IE6 and IE7 does not allow setting cookies for two−letter domain names as this could be a security risk,
because some Top Level Domains (TLDs) require an additional two−letter subdomain for any domain by
default and setting −2−letter cookies would mean that the cookie would be shared across any of those sites,
posing a security risk.
because some Top Level Domains (TLDs) require an additional two−letter subdomain for any domain by
default and setting −2−letter cookies would mean that the cookie would be shared across any of those sites,
posing a security risk.
One example would be the domain: example.co.uk.
If one was to set a cookie for co.uk, it's contents would be sent to any of UK's commercial websites.
•
This is an IE issue and there is nothing the WSA can do about it, because the cookie is necessary for
transparent authentication, especially with cookie surrogates. There is a registry key setting for IE6 to change
this behavior. The article below documents information about the registry setting:
http://support.microsoft.com/kb/310676
transparent authentication, especially with cookie surrogates. There is a registry key setting for IE6 to change
this behavior. The article below documents information about the registry setting:
http://support.microsoft.com/kb/310676