Forum Discussion
tdoc_90806
Nimbostratus
NimbostratusCookie Encryption
Hi, wondering if someone can point me in the right direction...
We recently had a Pen-test carried out on our Sharepoint Extranet. The site is secured using SSL which terminates at the F5.
The major finding was that certain requests from within the site use http, which the LTM is then redirecting to HTTPS.
While this happens, the HTTP request is sent insecurely which includes the Cookie.
Their recommendation is to make Sharepoint use HTTPS for each request, but due to the site config, this will cause me a few issues.
I was therefore wondering if I could use the F5 to encrypt the Cookie? I think this would solve the problem (?)
So, I have edited my LTM HTTP profile to Encrypt the Cookie and added an encryption passphrase. The Cookie name I used is the name of my Persistence Cookie - is this the correct 'Name' to use?
I then browsed to the site, found my Cookie on my pc - however this contains the same information as the Cookie I received before I did the Encryption.
Have I done this right?
Can anyone tell me if I am actually approaching this in the right way to solve the problem?
Thanks very much in advance for any help...
- The_BhattmanHere are details on the cookie encryption
http://devcentral.f5.com/wiki/default.aspx/iRules/EncryptingCookies.html
Hope this help
CB 
tdoc_90806Thank you for the information. I have now applied the iRule to my VIP.
A couple of points:
-I am using ISA2006 FBA. When I enter the username/password, logon now takes about 15secs to go through now I am using the Cookie Encryption. Is this normal and if so are there any ways to improve the performance?
-Do you know a quick way to test if my change has been successful? ie that it is now Encrypted?
Many Thanks- tdoc_90806Please ignore the first point above regarding performance - tied this down to a server issue.
Thanks
