Forum Discussion

Brian_107072's avatar
Brian_107072
Icon for Nimbostratus rankNimbostratus
Nov 04, 2010

BigIP does not encrypt application cookies

Greetings,     I have an LTM on v9.4.8     I have been fighting this for a week now. I hope someone can shine a light on where I am going wrong.     I have already tried both of the ...
application delivery
dev
devops
iRules
Brian_107072's avatar
Brian_107072
Icon for Nimbostratus rankNimbostratus
Nov 04, 2010
Here is my code with logging

 

 

 
 when CLIENT_ACCEPTED { 
  Get Client IP address 
 set CLIENT [IP::client_addr] 
  
      Name of the cookie to encrypt/decrypt 
 set cookie "stagingDistAuth"  
 set cookiename "stagingDistAuth" 
 set encryption_passphrase "abcd1234" 
      Log debug messages to /var/log/ltm?  1=yes, 0=no. 
     set cookie_encryption_debug 1 
 } 
    
 when HTTP_REQUEST { 
 set proto "https://" 
  
 set uri  $proto[getfield [HTTP::host] : 1][HTTP::uri] 
  
 if { $uri starts_with "https://some.server.com/auth/" and $CLIENT eq "192.168.1.5"} { 
 if { [HTTP::cookie exists $cookiename] } { 
  
 if { $cookie_encryption_debug } { log local0. "COOKIE EXISTS. VALUE:[HTTP::cookie value $cookiename]"} 
  
 set decrypted [HTTP::cookie decrypt $cookiename $encryption_passphrase] 
  
 if { ($decrypted eq "") } { 
 if { $cookie_encryption_debug } { log local0. "COOKIE NOT ENCRYPTED. VALUE:[HTTP::cookie value $cookiename]"} 
  Cookie wasn't encrypted, delete it 
 HTTP::cookie remove $::cookiename 
 } else { 
 if { $cookie_encryption_debug } { log local0. "COOKIE DECRYPTED. VALUE:[HTTP::cookie value $cookiename]"} 
 } 
 } 
 } 
 } 
  
 when HTTP_RESPONSE {  
  
 if { $uri starts_with "https://some.server.com/auth/" and $CLIENT eq "192.168.1.5"} { 
 set cookie1 $cookiename 
 set cookie2 $cookiename 
 set cookie3 $cookiename 
  
 set cValue [HTTP::cookie value $cookie1] 
 set cLength [string length $cValue]  
  
 if { $cookie_encryption_debug } { log local0. "COOKIE LENGTH. VALUE: $cLength"} 
 if { $cLength > 0 } { 
  
 if { $cookie_encryption_debug } { log local0. "COOKIE EXISTS. VALUE: [HTTP::cookie value $cookie2]"} 
  
 HTTP::cookie encrypt $cookiename $encryption_passphrase 
  
 if { $cookie_encryption_debug } { log local0. "COOKIE ENCRYPTED VALUE: [HTTP::cookie value $cookie3]"} 
 } 
 } 
 }

 

 

And here are the logs

 

 

 
 : COOKIE LENGTH. VALUE: 59 
 : COOKIE EXISTS. VALUE: https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin 
 : COOKIE ENCRYPTED VALUE: https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin 
 : COOKIE EXISTS. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin 
 : COOKIE NOT ENCRYPTED. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin 
  - Illegal argument. Can't execute in the current context. (line 1)     invoked from within "HTTP::cookie value $::cookie1" 
 : COOKIE EXISTS. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin 
 : COOKIE NOT ENCRYPTED. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin 
  - Illegal argument. Can't execute in the current context. (line 22)     invoked from within "HTTP::cookie value $::cookie1"