Forum Discussion
Nick_T_68319
Nimbostratus
NimbostratusCookie encryption
I have a lot of web sites using the F5 default cookie for the primary persistence method. When using this cookie, it names the cookie BIGipServerPOOLNAME. This is cool, but now I have a request to encrypt all the persistence cookies. Is there a way to encrypt all these cookies easily? Do I need to create a custom cookie persistence for EVERY site and then list them ALL in the http profile to be encrypted?
10 Replies
- Chris_Miller
Altostratus
Here's a good wiki on encrypting cookies
http://devcentral.f5.com/wiki/default.aspx/iRules/EncryptingCookies.html
I'm not sure what kind of wildcard capabilities exist within the actual HTTP profile. Obviously with an iRule, you could use something like "if cookie starts_with BIGip, encrypt, yada yada." 
brad_11480I agree 100% with the statements regarding ways to encrypting these cookies.
I've been putting this off hoping that F5 would eventually realize that it needed to be addressed. At this point, however, our auditors are hounding us to get this corrected.. The 'plain text' persistence cookies are providing too much 'private' information and they need to be encrypted.
The auditors aren't hitting us on the name of the cookie.. yet.. but, yeah, that might happen too.. I think that can be changed but might have some other side-effects, if i remember correctly.
So the option seems to be either a zippy Irule that will do a wild card, or lots and lots of custom profiles. The latter is error prone. The former creates tons of unnecessary overhead.
Suggested solution:
1. System setting to encrypt all persistence cookies.
2. VIP setting to encrypt all persistence cookies.
2.a. VIP setting to encrypt all cookies.
3. HTTP profile allow wildcard entries for the list of cookies to encrypt.
Do 3 if nothing else can be done. I don't see that there has been anything done in this area, but could be wrong.. the cookies in the HTTP profile must be explicitly named .. all of them. for a VIP that works with a dozen resource pools, this list becomes quite long, and gee, all of them begin with BIGipServer . Dah... Help!?- brad_11480I agree 100% with the statements regarding ways to encrypting these cookies.
I've been putting this off hoping that F5 would eventually realize that it needed to be addressed. At this point, however, our auditors are hounding us to get this corrected.. The 'plain text' persistence cookies are providing too much 'private' information and they need to be encrypted.
The auditors aren't hitting us on the name of the cookie.. yet.. but, yeah, that might happen too.. I think that can be changed but might have some other side-effects, if i remember correctly.
So the option seems to be either a zippy Irule that will do a wild card, or lots and lots of custom profiles. The latter is error prone. The former creates tons of unnecessary overhead.
Suggested solution:
1. System setting to encrypt all persistence cookies.
2. VIP setting to encrypt all persistence cookies.
2.a. VIP setting to encrypt all cookies.
3. HTTP profile allow wildcard entries for the list of cookies to encrypt.
Do 3 if nothing else can be done. I don't see that there has been anything done in this area, but could be wrong.. the cookies in the HTTP profile must be explicitly named .. all of them. for a VIP that works with a dozen resource pools, this list becomes quite long, and gee, all of them begin with BIGipServer . Dah... Help!? 
hoolioCirrostratus
Hi Brad,
I have a feature request in to add a checkbox on the cookie persistence profiles to support encryption that way. I think that would the most elegant option.
There's also a request for supporting wildcards in the HTTP profile's cookies to encrypt field: BZ227249. You could expand on that to include all cookies that the HTTP profile sees in responses.
You could open a case with F5 Support and ask to have your case attached to these RFEs. This will raise the visibility of the requests.
Aaron
Nick_T_68319Either option would be cool, a wildcard or a checkbox. Hopefully this will get added sometime in v11 maybe :D
mr_skater99_640Hoolio - have you heard back about the feature requests?
If not I'll tack on my support - we are getting pinged for this every pen-test we do. Whats the id for the first request?
Cheers.- nitass
Employee
if you means this one, it has not yet been implemented.
BZ 227249 - [RFE] - Support cookie encryption for dynamic cookie names in HTTP profile (Formerly CR 73147) - Nick_T_68319Posted By nitass on 07/12/2012 02:35 AM
if you means this one, it has not yet been implemented.
BZ 227249 - [RFE] - Support cookie encryption for dynamic cookie names in HTTP profile (Formerly CR 73147)Hmm I like how that sounds!
- hoolioHere's an example iRule which encrypts cookies using a pattern for the name(s):
https://devcentral.f5.com/wiki/iRules.Encrypt-HTTP-cookies-with-dynamic-names.ashx
Please do open a case with F5 Support though to request this:
There's also a request for supporting wildcards in the HTTP profile's cookies to encrypt field: BZ227249. 
THiJust in case someone hits this page (as I did), the persistence cookie encryption is implemented in sw 11.5.0 (and later) in cookie persistence profile. See SOL23254150: Configuring cookie encryption for BIG-IP persistence cookies from the cookie persistence profile. Default is not encrypted.
