For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Venkat_Raj_2350's avatar
Venkat_Raj_2350
Icon for Nimbostratus rankNimbostratus
Apr 14, 2016

cookie encryption using Http profile and irule

Hi,

 

Tried cookie encryption using the irule and http profile. However, When ran a vulnerability scanner from the internet the cookie is leaking internal Ips etc. Not sure what am is missing? Please help.

 

ltm rule cookie_domain { partition test-dmz when HTTP_REQUEST { set domainname [HTTP::host] } }

 

ltm rule cookie_secure { partition test-dmz when HTTP_RESPONSE { foreach aCookie [HTTP::cookie names] { HTTP::cookie secure $aCookie enable } } }

 

ltm persistence cookie Com_cookie { app-service none defaults-from cookie expiration 0 }

 

create ltm profile http http-cookieencrypt defaults-from http encrypt-cookies add { Com_cookie } encrypt-cookie-secret "Password01"

 

ltm profile http http-cookieencrypt { app-service none defaults-from http encrypt-cookie-secret Password01 encrypt-cookies { Com_cookie } }

 

application delivery
BIG-IP
cookie encryption
iRules
LTM

1 Reply

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Apr 18, 2016

    Hello,

     

    You encrypt everything except persistence cookies. You should add encryption within the Cookie persistence profile assigned to your VS.