Forum Discussion
Brian_107072
Nov 04, 2010Nimbostratus
BigIP does not encrypt application cookies
Greetings,
I have an LTM on v9.4.8
I have been fighting this for a week now. I hope someone can shine a light on where I am going wrong.
I have already tried both of the examples in the following link:
http://devcentral.f5.com/wiki/default.aspx/iRules/EncryptingCookies.html
and
http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/19364/afv/topic/Default.aspx
The problem is that an application is leaking internal network info in a cookie like the following value:
Cookie Value: https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin
I need to encrypt these cookies.
Here is my code:
when CLIENT_ACCEPTED {
set ::cookiename "stagingDistAuth"
set ::encryption_passphrase "abcd1234"
}
when HTTP_REQUEST {
set uri https://[getfield [HTTP::host] : 1][HTTP::uri]
if { $uri starts_with "https://some.server.com/auth/" } {
if { [HTTP::cookie exists $::cookiename] } {
set decrypted [HTTP::cookie decrypt $::cookiename $::encryption_passphrase]
if { ($decrypted eq "") } {
Cookie wasn't encrypted, delete it
HTTP::cookie remove $::cookiename
}
}
}
}
when HTTP_RESPONSE {
if { $uri starts_with "https://some.server.com/auth/" } {
if { [HTTP::cookie exists $::cookiename] } {
set encrypted_value [HTTP::cookie encrypt $::cookiename $::encryption_passphrase]
}
}
}
I have tried entering a lot of log messages to debug but nothing showed up except that the cookie is not being encrypted. When I look at the cookie in my browser it is not encrypted.
When I set the cookie value to the encrypted value with a command like the following I get a new cookie by the same name but with a different domain and not secured.
if { $uri starts_with "https://some.server.com/auth/" } {
if { [HTTP::cookie exists $::cookiename] } {
set encrypted_value [HTTP::cookie encrypt $::cookiename $::encryption_passphrase]
set crtrn [HTTP::cookie value $::cookiename $encrypted_value ]
}
}
Any help would be appreciated.
- hooleylistCirrostratusHi Brian,
- Brian_107072NimbostratusWell, It appears I am suffering from the same thing as these guys:
- Brian_107072NimbostratusHere is my code with logging
when CLIENT_ACCEPTED { Get Client IP address set CLIENT [IP::client_addr] Name of the cookie to encrypt/decrypt set cookie "stagingDistAuth" set cookiename "stagingDistAuth" set encryption_passphrase "abcd1234" Log debug messages to /var/log/ltm? 1=yes, 0=no. set cookie_encryption_debug 1 } when HTTP_REQUEST { set proto "https://" set uri $proto[getfield [HTTP::host] : 1][HTTP::uri] if { $uri starts_with "https://some.server.com/auth/" and $CLIENT eq "192.168.1.5"} { if { [HTTP::cookie exists $cookiename] } { if { $cookie_encryption_debug } { log local0. "COOKIE EXISTS. VALUE:[HTTP::cookie value $cookiename]"} set decrypted [HTTP::cookie decrypt $cookiename $encryption_passphrase] if { ($decrypted eq "") } { if { $cookie_encryption_debug } { log local0. "COOKIE NOT ENCRYPTED. VALUE:[HTTP::cookie value $cookiename]"} Cookie wasn't encrypted, delete it HTTP::cookie remove $::cookiename } else { if { $cookie_encryption_debug } { log local0. "COOKIE DECRYPTED. VALUE:[HTTP::cookie value $cookiename]"} } } } } when HTTP_RESPONSE { if { $uri starts_with "https://some.server.com/auth/" and $CLIENT eq "192.168.1.5"} { set cookie1 $cookiename set cookie2 $cookiename set cookie3 $cookiename set cValue [HTTP::cookie value $cookie1] set cLength [string length $cValue] if { $cookie_encryption_debug } { log local0. "COOKIE LENGTH. VALUE: $cLength"} if { $cLength > 0 } { if { $cookie_encryption_debug } { log local0. "COOKIE EXISTS. VALUE: [HTTP::cookie value $cookie2]"} HTTP::cookie encrypt $cookiename $encryption_passphrase if { $cookie_encryption_debug } { log local0. "COOKIE ENCRYPTED VALUE: [HTTP::cookie value $cookie3]"} } } }
: COOKIE LENGTH. VALUE: 59 : COOKIE EXISTS. VALUE: https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin : COOKIE ENCRYPTED VALUE: https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin : COOKIE EXISTS. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin : COOKIE NOT ENCRYPTED. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin - Illegal argument. Can't execute in the current context. (line 1) invoked from within "HTTP::cookie value $::cookie1" : COOKIE EXISTS. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin : COOKIE NOT ENCRYPTED. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin - Illegal argument. Can't execute in the current context. (line 22) invoked from within "HTTP::cookie value $::cookie1"
- Brian_107072NimbostratusAaron,
- Brian_107072NimbostratusI was able to resolve the "Illegal argument. Can't execute in the current context" messages. I created another iRule and moved all my cookie handling code there. I then stacked it on my VIP's resources screen. Now the code seems to be working.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects