Forum Discussion
Brian_107072
Nimbostratus
NimbostratusBigIP does not encrypt application cookies
Greetings,
I have an LTM on v9.4.8
I have been fighting this for a week now. I hope someone can shine a light on where I am going wrong.
I have already tried both of the examples in the following link:
http://devcentral.f5.com/wiki/default.aspx/iRules/EncryptingCookies.html
and
http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/19364/afv/topic/Default.aspx
The problem is that an application is leaking internal network info in a cookie like the following value:
Cookie Value: https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin
I need to encrypt these cookies.
Here is my code:
when CLIENT_ACCEPTED {
set ::cookiename "stagingDistAuth"
set ::encryption_passphrase "abcd1234"
}
when HTTP_REQUEST {
set uri https://[getfield [HTTP::host] : 1][HTTP::uri]
if { $uri starts_with "https://some.server.com/auth/" } {
if { [HTTP::cookie exists $::cookiename] } {
set decrypted [HTTP::cookie decrypt $::cookiename $::encryption_passphrase]
if { ($decrypted eq "") } {
Cookie wasn't encrypted, delete it
HTTP::cookie remove $::cookiename
}
}
}
}
when HTTP_RESPONSE {
if { $uri starts_with "https://some.server.com/auth/" } {
if { [HTTP::cookie exists $::cookiename] } {
set encrypted_value [HTTP::cookie encrypt $::cookiename $::encryption_passphrase]
}
}
}
I have tried entering a lot of log messages to debug but nothing showed up except that the cookie is not being encrypted. When I look at the cookie in my browser it is not encrypted.
When I set the cookie value to the encrypted value with a command like the following I get a new cookie by the same name but with a different domain and not secured.
if { $uri starts_with "https://some.server.com/auth/" } {
if { [HTTP::cookie exists $::cookiename] } {
set encrypted_value [HTTP::cookie encrypt $::cookiename $::encryption_passphrase]
set crtrn [HTTP::cookie value $::cookiename $encrypted_value ]
}
}
Any help would be appreciated.
5 Replies
hoolioCirrostratus
Hi Brian,
Is it possible that the cookie is being set on responses that aren't to a request for the auth URI? Can you show a version with debug logging and the output from /var/log/ltm?
Also, you don't need to use global variables for cookiename and encryption_password. You can remove the :: prefix to the variable names to make them local.
Aaron
Brian_107072Well, It appears I am suffering from the same thing as these guys:
http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/afv/topic/aft/1173075/aff/5/showtab/groupforums/Default.aspx1198179
Anyone have a work around?
I am going to try checking the Cookie Value length as a work around.- Brian_107072Here is my code with logging
when CLIENT_ACCEPTED { Get Client IP address set CLIENT [IP::client_addr] Name of the cookie to encrypt/decrypt set cookie "stagingDistAuth" set cookiename "stagingDistAuth" set encryption_passphrase "abcd1234" Log debug messages to /var/log/ltm? 1=yes, 0=no. set cookie_encryption_debug 1 } when HTTP_REQUEST { set proto "https://" set uri $proto[getfield [HTTP::host] : 1][HTTP::uri] if { $uri starts_with "https://some.server.com/auth/" and $CLIENT eq "192.168.1.5"} { if { [HTTP::cookie exists $cookiename] } { if { $cookie_encryption_debug } { log local0. "COOKIE EXISTS. VALUE:[HTTP::cookie value $cookiename]"} set decrypted [HTTP::cookie decrypt $cookiename $encryption_passphrase] if { ($decrypted eq "") } { if { $cookie_encryption_debug } { log local0. "COOKIE NOT ENCRYPTED. VALUE:[HTTP::cookie value $cookiename]"} Cookie wasn't encrypted, delete it HTTP::cookie remove $::cookiename } else { if { $cookie_encryption_debug } { log local0. "COOKIE DECRYPTED. VALUE:[HTTP::cookie value $cookiename]"} } } } } when HTTP_RESPONSE { if { $uri starts_with "https://some.server.com/auth/" and $CLIENT eq "192.168.1.5"} { set cookie1 $cookiename set cookie2 $cookiename set cookie3 $cookiename set cValue [HTTP::cookie value $cookie1] set cLength [string length $cValue] if { $cookie_encryption_debug } { log local0. "COOKIE LENGTH. VALUE: $cLength"} if { $cLength > 0 } { if { $cookie_encryption_debug } { log local0. "COOKIE EXISTS. VALUE: [HTTP::cookie value $cookie2]"} HTTP::cookie encrypt $cookiename $encryption_passphrase if { $cookie_encryption_debug } { log local0. "COOKIE ENCRYPTED VALUE: [HTTP::cookie value $cookie3]"} } } }
And here are the logs: COOKIE LENGTH. VALUE: 59 : COOKIE EXISTS. VALUE: https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin : COOKIE ENCRYPTED VALUE: https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin : COOKIE EXISTS. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin : COOKIE NOT ENCRYPTED. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin - Illegal argument. Can't execute in the current context. (line 1) invoked from within "HTTP::cookie value $::cookie1" : COOKIE EXISTS. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin : COOKIE NOT ENCRYPTED. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin - Illegal argument. Can't execute in the current context. (line 22) invoked from within "HTTP::cookie value $::cookie1" - Brian_107072Aaron,
The cookie is set on the auth response as far as I can tell. The Path is set to "/" in the cookie.
--Brian - Brian_107072I was able to resolve the "Illegal argument. Can't execute in the current context" messages. I created another iRule and moved all my cookie handling code there. I then stacked it on my VIP's resources screen. Now the code seems to be working.
The second issue turned out to be that there were multiple cookies by the same name but for different domains. My code was acting on the first cookie it saw which of course was the wrong cookie. Fortunately, it was safe to delete the first cookie because it was not relevant to my sessions. Now the rules act on the correct cookie and all is well.
So, look for multiple cookies by the same name and try a second iRule if your code generates errors.
