Cookie encryption/decryption using iRule

First, I'd look at the the sample code on encrypting cookies

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/EncryptingCookie.html

 

Click here

 

 

As for determining whether a cookie has been encrypted, you could try one of these ways:

 

 

1) Extract the value cookie from the server and prefix it with something unique (ie. "enc:". Then encrypt that value. On the next request, look for your cookie and decrypt it. If it starts with your known string "enc:", remove the prefix (with substr) and pass it to the server. If it doesn't start with "enc:" pass the original value to the server.

 

 

2) Mask the backend cookie with your own cookie name. Let's say the backend cookie is called "MyCookie". On the Response you extract that value and create an encrypted cookie called something else like "MySecuredCookie" and remove the original "MyCookie". Then on the next request, look for the "MySecuredCookie" and decrypt it and stuff the decrypted value into a new "MyCookie" and remove the encrypted "MySecuredCookie".

 

 

Just a few things that popped into my head. I'm sure there are others as well.

 

 

Let us know how it goes and what you end up using. That would make a good addition to the CodeShare.

 

 

-Joe

Thanks for the idea, but I do not know the necessary syntax to do this. Can you send me some documentation, links or an API for the language. With that information I will be able to implement one of your ideas. Thanks again!

 

 

Jeya

When I say syntax, I mean function calls, and proper code formatting, thanks.

 

 

Jeya

I included a link in the previous post to a sample iRule that does cookie encryption.

 

 

Here are some relevant sources of information

 

 

TCL Reference - Click here

 

iRules Documentation - Click here

 

Sample iRules - Click here

 

 

HTH

 

 

-Joe

 

 

Thanks for the quick replies, but I am still having a few issues. I am trying to concat "enc" onto the encrypted cookie string using this code in the Response:

 

 

set encrypted [HTTP::cookie encrypt mycookie cookiekey]

 

set newencrypted [concat "enc" $encrypted]

 

 

and in the Request, I am not sure how to check to see if the "enc" is in the string. Any ideas on which command to use? You suggested substr before, but I could not find any documentation on how to implement it. Thanks for your help!

 

 

Documentation for "substr" is in the iRules wiki link above. Look on the Commands page and you should find it. If you don't like my solution below, feel free to use the builtin string commands. Check out the TCL reference above as well as it has a lot of string functions that can come in handy.

As for your logic, now that I think about it, I would probably just encrypt the cookie, insert the encrypted cookie with a new name "emycookie", and remove the original mycookie. This way you can determine from the cookie name whether it's incrypted as opposed to the contents.

when RULE_INIT {
  set ::cookieKey [AES::key]
}
when HTTP_RESPONSE {
  if { [HTTP::cookie exists "mycookie" } {
    set decrypted [HTTP::cookie "mycookie"]
    HTTP::cookie remove "mycookie"
    set encrypted [b64encode [AES::encrypt $::cookieKey $decrypted]]
    HTTP::cookie insert name "emycookie" value $encrypted
  }
}
when HTTP_REQUEST {
  if { [HTTP::cookie exists "emycookie" } { 
    set encrypted [HTTP::cookie "emycookie"]
    HTTP::cookie remove "emycookie"
    set decrypted [AES::decrypt $::cookieKey [b64decode $encrypted]]
    HTTP::cookie insert name "mycookie" value $decrypted
  }
}

I've added a couple of extra sanity checks in there to look for cookie existence and such.

Hope this helps...

-Joe

Joe had a misplaced square bracket above. I have edited his post to correct it.