Forum Discussion
Simon_Waters_13
Cirrostratus
CirrostratusCookie Encryption - duplicate cookies
TL;DR has anyone written code to deduplicate cookies before the cookie encryption feature is used?
We had a ticket C1649037 to do with the Cookie Encryption breaking if the cookie was duplicated...
"Encrypt cookies" now does all copies of a cookie.
Kai_Wilke
MVP
MVPHi Simon,
below are two quick codings to sanitize duplicated instances (any number) of a given Set-Cookie...
when HTTP_RESPONSE {
if { [HTTP::header value "Set-Cookie"] ne "" } then {
set cookie_name "MyCookie"
set cookie_count [llength [lsearch -all -glob [HTTP::header values "Set-Cookie"] "$cookie_name=*"]]
while { $cookie_count > 1 } {
set cookie_count [expr { $cookie_count - 1 }]
HTTP::cookie remove $cookie_name
}
}
}
... or ...
when HTTP_RESPONSE {
if { [HTTP::header value "Set-Cookie"] ne "" } then {
set cookie_name "MyCookie"
set cookie_values [lsearch -inline -all -glob [HTTP::header values "Set-Cookie"] "$cookie_name=*"]
set cookie_count [llength $cookie_values]
while { $cookie_count } {
set cookie_count [expr { $cookie_count - 1 }]
HTTP::cookie remove $cookie_name
}
HTTP::header insert "Set-Cookie" [lindex $cookie_values end]
}
}
Note: The first iRule will keep the first instance of "Set-Cookie" (better performance) and the second iRule would keep the last instance of "Set-Cookie" (according to RFC 6265).
Side Note: F5 uses AES to encrypt Cookie information and one of the major design goals of AES was to become somewhat resilent against differential cryptanalysis attacks (unlike DES). So your cookie will be pretty much secured against any (known) form of chosen- or well-known plaintext attacks...
Cheers, Kai