Forum Discussion

Jeyakumar_Nadar's avatar
Jeyakumar_Nadar
Icon for Nimbostratus rankNimbostratus
Mar 13, 2006

Cookie encryption/decryption using iRule

Hello,

 

 

I am trying to write a script that will encrypt/decrypt a cookie, but am having a little trouble with the syntax used in the BIG-IP. I need to check to make sure that a cookie is not decrypted before I decrypt it and am not sure of the "if" statement I can use. Here is the code I am using now:

 

 

when HTTP_REQUEST {

 

if{CHECK TO SEE IF ALREADY DECRYPTED, PLEASE HELP!!!} {

 

HTTP::cookie remove "MyCookie"

 

}

 

else {

 

HTTP::cookie decrypt "MyCookie" KeyValue

 

}

 

}

 

 

when HTTP_RESPONSE {

 

HTTP::cookie encrypt "MyCookie" KeyValue

 

}

 

 

I need to make sure that I do not decrypt an already decrypted cookie. Can anybody help me with the "if" statement that I need.

 

 

Thanks in Advance!

 

 

Jeya

 

  • First, I'd look at the the sample code on encrypting cookies

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/EncryptingCookie.html

     

    Click here

     

     

    As for determining whether a cookie has been encrypted, you could try one of these ways:

     

     

    1) Extract the value cookie from the server and prefix it with something unique (ie. "enc:". Then encrypt that value. On the next request, look for your cookie and decrypt it. If it starts with your known string "enc:", remove the prefix (with substr) and pass it to the server. If it doesn't start with "enc:" pass the original value to the server.

     

     

    2) Mask the backend cookie with your own cookie name. Let's say the backend cookie is called "MyCookie". On the Response you extract that value and create an encrypted cookie called something else like "MySecuredCookie" and remove the original "MyCookie". Then on the next request, look for the "MySecuredCookie" and decrypt it and stuff the decrypted value into a new "MyCookie" and remove the encrypted "MySecuredCookie".

     

     

    Just a few things that popped into my head. I'm sure there are others as well.

     

     

    Let us know how it goes and what you end up using. That would make a good addition to the CodeShare.

     

     

    -Joe
  • Thanks for the idea, but I do not know the necessary syntax to do this. Can you send me some documentation, links or an API for the language. With that information I will be able to implement one of your ideas. Thanks again!

     

     

    Jeya
  • When I say syntax, I mean function calls, and proper code formatting, thanks.

     

     

    Jeya
  • I included a link in the previous post to a sample iRule that does cookie encryption.

     

     

    Here are some relevant sources of information

     

     

    TCL Reference - Click here

     

    iRules Documentation - Click here

     

    Sample iRules - Click here

     

     

    HTH

     

     

    -Joe

     

     

  • Thanks for the quick replies, but I am still having a few issues. I am trying to concat "enc" onto the encrypted cookie string using this code in the Response:

     

     

    set encrypted [HTTP::cookie encrypt mycookie cookiekey]

     

    set newencrypted [concat "enc" $encrypted]

     

     

    and in the Request, I am not sure how to check to see if the "enc" is in the string. Any ideas on which command to use? You suggested substr before, but I could not find any documentation on how to implement it. Thanks for your help!

     

     

  • Documentation for "substr" is in the iRules wiki link above. Look on the Commands page and you should find it. If you don't like my solution below, feel free to use the builtin string commands. Check out the TCL reference above as well as it has a lot of string functions that can come in handy.

    As for your logic, now that I think about it, I would probably just encrypt the cookie, insert the encrypted cookie with a new name "emycookie", and remove the original mycookie. This way you can determine from the cookie name whether it's incrypted as opposed to the contents.

    when RULE_INIT {
      set ::cookieKey [AES::key]
    }
    when HTTP_RESPONSE {
      if { [HTTP::cookie exists "mycookie" } {
        set decrypted [HTTP::cookie "mycookie"]
        HTTP::cookie remove "mycookie"
        set encrypted [b64encode [AES::encrypt $::cookieKey $decrypted]]
        HTTP::cookie insert name "emycookie" value $encrypted
      }
    }
    when HTTP_REQUEST {
      if { [HTTP::cookie exists "emycookie" } { 
        set encrypted [HTTP::cookie "emycookie"]
        HTTP::cookie remove "emycookie"
        set decrypted [AES::decrypt $::cookieKey [b64decode $encrypted]]
        HTTP::cookie insert name "mycookie" value $decrypted
      }
    }

    I've added a couple of extra sanity checks in there to look for cookie existence and such.

    Hope this helps...

    -Joe
  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Joe had a misplaced square bracket above. I have edited his post to correct it.