AES encrypted cookie has recognizable content

Hi,

 

I am using AES::encrypt and URI::encode on BigIPServer Cookies. While debugging my new irule, I noticed the encrypted, encoded string contains content that I recognize from other transactions (looks like its mostly query string parameters). Otherwise, the irule works as expected. Does this make any sense? Any way to prevent this? Does the below rule look reasonable enough?

 

Thanks,

 

Al

 

Here is my irule - its mostly a ripoff of the cookie encryption on codeshare. Some of my f5s are 10.2.x, so I needed to use a static key.

 

 

 

when RULE_INIT {

 

 

Cookie name prefix

 

set static::ck_pattern "BIGipServer*"

 

 

Log debug to /var/log/ltm? 1=yes, 0=no)

 

set static::ck_debug 0

 

 

Cookie encryption key

 

set static::aes_key "AES 128 my32hexcharacters"

 

}

 

when HTTP_REQUEST {

 

 

if {$static::ck_debug}{log local0. "Request cookie names: [HTTP::cookie names]"}

 

 

Check if the cookie names in the request match our string glob pattern

 

if {[set enc_cookie_names [lsearch -all -inline [HTTP::cookie names] $static::ck_pattern]] ne ""}{

 

 

We have at least one match so loop through the cookie(s) by name

 

foreach enc_cookie_name $enc_cookie_names {

 

 

Decrypt the cookie value and check if the decryption failed (null return value)

 

 

if {not ([catch {URI::decode [HTTP::cookie value $enc_cookie_name]} cookie_uri_decoded])}{

 

 

Log that the cookie was URI decoded

 

if {$static::ck_debug}{log local0. "\$cookie_uri_decoded was set successfully to cookie_uri_decoded"}

 

 

Decrypt the value

 

if {not ([catch {AES::decrypt $static::aes_key $cookie_uri_decoded} cookie_decrypted])}{

 

if {$static::ck_debug}{log local0. "$enc_cookie_name \$cookie_decrypted: $cookie_decrypted"}

 

HTTP::cookie value $enc_cookie_name $cookie_decrypted

 

} else {

 

cookie was not decrypted successfully

 

HTTP::cookie remove $enc_cookie_name

 

}

 

} else {

 

cookie was not decoded successfully

 

HTTP::cookie remove $enc_cookie_name

 

}

 

}

 

if {$static::ck_debug}{log local0. "Cookie header(s): [HTTP::header values Cookie]"}

 

}

 

}

 

when HTTP_RESPONSE {

 

 

if {$static::ck_debug}{log local0. "Response cookie names: [HTTP::cookie names]"}

 

 

Check if the cookie names in the request match our string glob pattern

 

if {[set enc_cookie_names [lsearch -all -inline [HTTP::cookie names] $static::ck_pattern]] ne ""}{

 

 

We have at least one match so loop through the cookie(s) by name

 

if {$static::ck_debug}{log local0. "Matching cookie names: [HTTP::cookie names]"}

 

foreach enc_cookie_name $enc_cookie_names {

 

if {$static::ck_debug}{log local0. "Matching cookie $enc_cookie_name value [HTTP::cookie value $enc_cookie_name]"}

 

 

HTTP::cookie value $enc_cookie_name [URI::encode [AES::encrypt $static::aes_key [HTTP::cookie value $enc_cookie_name]]]

 

Encrypt the cookie value

 

if {$static::ck_debug}{log local0. "Matching cookie $enc_cookie_name encrypted value [URI::encode [AES::encrypt $static::aes_key [HTTP::cookie value $enc_cookie_name]]]"}

 

 

}

 

if {$static::ck_debug}{log local0. "Set-Cookie header(s): [HTTP::header values Set-Cookie]"}

 

}

 

}