Forum Discussion

SaiNetwork_1624's avatar
SaiNetwork_1624
Icon for Nimbostratus rankNimbostratus
Jun 20, 2017

Cookie Encryption through HTTP profile does effect for cookie disabled VIPs?

Hi , I have a request to enable cookie encryption on he entire LTM.   please let me know one thing.Does cookie persistence work only if I map cookie persistence profile to the VIP and then HTTP pr...
BIG-IP
LTM
security
dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Jun 20, 2017

Hi,

 

Actually Cookie persistence profile will not work without HTTP profile. Of course there are persistence profile types that will work without HTTP profile (like Source Address Affinity) but not cookie type.

 

HTTP profile is assigned to VS to allow LTM to understand HTTP protocol. This is for example necessary if you would like to use Cookie persistence profile.

 

In this case LTM needs to be able to parse HTTP request/response to extract/set cookie header used for persistence.

 

Persistence profile (in this case cookie) is needed when stickiness of HTTP session is required.

 

It means that all client HTTP requests after first load balancing decisions (when first client HTTP request without LTM cookie is received) should be send to the same pool member as first request.

 

So dependency is like that:

 

  • HTTP profile do not need Persistence profile
  • Cookie persistence profile requires HTTP profile

Concerning setting cookie encryption in HTTP profile - you can safely do that for both VSs with only HTTP profile assigned as well as VSs with both HTTP profile and Cookie persistence profile.

 

Encrypt Cookies will just encrypt cookies (specified by name in this field) when sending responses to clients, then decrypt them when receiving request from client.

 

Because you have to specify list of cookie names that should be encrypted then you can omit persistence cookie name (used by Cookie persistence profile) - it will not be encrypted, but of course you can as well specify it to be encrypted - LTM will handle encrypted persistence cookie as well.

 

Anyway for cookies used by Cookie persistence profile it's easier to use Cookie Encryption Use Policy option available in Cookie persistence profile configuration (TMOS 11.5.0+), than Encrypt Cookies in HTTP profile.

 

Persistence cookies have dynamic names build like that: BIGipServer[name of the pool assigned to VS] - if pool is http_pool then cookie name will be BIGipServerhttp_pool.

 

So it wold be necessary to change cookie name in HTTP profile Encrypt Cookies option each time pool assigned to VS changes and have as many HTTP profiles as pools used by VSs.

 

Piotr