cookie persistence sendfor: http only

Hi Dave,

Did this come up in a vulnerability report for your LTM hosted app? It is possible to append the HttpOnly flag to LTM's set-cookie header. However, the persistence cookie only dictates which pool member LTM sends requests to. There aren't any significant security concerns with an attacker getting this as it's not used (at least by default) by LTM for anything security related.

If you do want to append the HttpOnly flag, you could try something like this:

when SERVER_CONNECTED {

    Save the name of the currently connected pool
   set pool_name [LB::server pool]
}
when HTTP_RESPONSE {

    Check if the response contains the persistence cookie
   if {[HTTP::cookie BIGipServer${pool_name}] ne ""}{

       Replace the last Set-Cookie header value with the same value and ; HttpOnly appended
      HTTP::header replace Set-Cookie "[HTTP::header Set-Cookie]; HttpOnly"
   }
}

Aaron

Hi Hoolio,

 

 

Thanks for the response. Yes, a security scan identified the issue and I've been tasked with correcting it. I will try your suggestion, but I'll also try to convince the powers-that-be that this is not a security concern, although in the long run it's just easier to make the issue go away.

 

 

Dave

Just to clarify, the cookie insert persistence cookie contains an encoding of the pool member IP:port as described in SOL6917:

 

 

sol6917: Overview of BIG-IP persistence cookie encoding

 

https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html

 

 

So it does contain what could be considered sensitive data as it exposes the server IP addresses and ports from the pool. If that's a concern for you, you can encrypt the cookie value using a custom HTTP profile:

 

 

sol7784: Overview of cookie encryption

 

http://support.f5.com/kb/en-us/solutions/public/7000/700/sol7784.html

 

 

That said, the fact that the persistence cookie is accessible from clientside scripts is somewhat irrelevant as it's not specific to the client's session--an attacker could get all of the possible cookie values just by making requests to the virtual server.

 

 

Aaron

I actually already encrypt the cookie, so the rule as is does not work. Is there a way to just append http only to end of the cookie string w/o having to read the cookie?

 

 

Change this

 

Response sets a cookie:

 

Set-Cookie: cookie_20=JWOPqD5SyEEcTl6wL8WbEaGhvIF3mSxzdYWRnGXyQTssab7fYqmJGJ2EfiYfHwAssBZQ0brxJV7mNdo=; expires=Thu, 12-May-2011 15:51:54 GMT; path=/

 

 

To this

 

Response sets a cookie:

 

Set-Cookie: cookie_20=JWOPqD5SyEEcTl6wL8WbEaGhvIF3mSxzdYWRnGXyQTssab7fYqmJGJ2EfiYfHwAssBZQ0brxJV7mNdo=; expires=Thu, 12-May-2011 15:51:54 GMT; path=/; HttpOnly

 

That's what that iRule I posted should do. What happens if you try it? If you're concerned about it not working and the virtual server is in production, you could create a test virtual server and try it there.

 

 

Aaron

Thanks for getting back to me. There is no change. It looks like your script needs to read the string BIGipServerAA_sessiontest_pool, with AA_sessiontest_pool as my pool for testing, but can't since it's encrypted. If I unencrypt the cookie your iRule works as expected. I tried replacing the actual name of my cookie in your script, but that didn't help.

 

 

when SERVER_CONNECTED {}

 

 

when HTTP_RESPONSE { Check if the response contains the persistence cookie if

 

 

{[HTTP::cookie cookie_sessiontest$] ne ""}{

 

 

Replace the last Set-Cookie header value with the same value and ; HttpOnly appended HTTP::header replace Set-Cookie "[HTTP::header Set-Cookie]; Http Only" } }

 

It doesn't need to "read" the cookie value; it's just checking to see that the cookie is set and has any value.

Can you try this to get more debug info:

when SERVER_CONNECTED {

    Save the name of the currently connected pool
   set pool_name [LB::server pool]
   log local0. "[IP::client_addr]:[TCP::client_port]: Pool $pool_name"
}
when HTTP_RESPONSE {

    Check if the response contains the persistence cookie
   if {[HTTP::cookie BIGipServer${pool_name}] ne ""}{

      log local0. "[IP::client_addr]:[TCP::client_port]: Cookie BIGipServer${pool_name} set, rewriting Set-Cookie: [HTTP::header Set-Cookie]"

       Replace the last Set-Cookie header value with the same value and ; HttpOnly appended
      HTTP::header replace Set-Cookie "[HTTP::header Set-Cookie]; HttpOnly"
   }
}
when HTTP_RESPONSE priority 501 {

    Debug logging only. Remove this once testing is complete.
   log local0. "[IP::client_addr]:[TCP::client_port]: Current Set-Cookie: [HTTP::header Set-Cookie]"

}

Aaron

Here is the result. I get 10 of these.

 

 

Rule http_only : 64.191.221.100:1097: Current Set-Cookie:

Aaron,

 

 

Sorry. I think this is what you're looking for.

 

 

May 13 11:05:56 tmm tmm[1711]: Rule http_only : 64.191.221.100:47542: Pool AA_sessiontest_pool

 

May 13 11:05:56 tmm tmm[1711]: Rule http_only : 64.191.221.100:47542: Current Set-Cookie: cookie_20=3MTDetqiTe58F2Qk3Pa6bfE+YCnjQ3KhZ36GpN9uVuKnfdWXYgtn9FvIgk/kb6V6p/JPVuwLd9hmpDY=; expires=Fri, 13-May-2011 15:25:56 GMT; path=/

 

 

 

Dave

Do you have a custom persistence cookie name? If so, you can change the iRule to this:

when SERVER_CONNECTED {

    Save the name of the currently connected pool
   set pool_name [LB::server pool]
   log local0. "[IP::client_addr]:[TCP::client_port]: Pool $pool_name"
}
when HTTP_RESPONSE {

    Check if the response contains the persistence cookie
   if {[HTTP::cookie "persistence_cookie_name"] ne ""}{

      log local0. "[IP::client_addr]:[TCP::client_port]: Cookie persistence_cookie_name set, rewriting Set-Cookie: [HTTP::header Set-Cookie]"

       Replace the last Set-Cookie header value with the same value and ; HttpOnly appended
      HTTP::header replace Set-Cookie "[HTTP::header Set-Cookie]; HttpOnly"
   }
}
when HTTP_RESPONSE priority 501 {

    Debug logging only. Remove this once testing is complete.
   log local0. "[IP::client_addr]:[TCP::client_port]: Current Set-Cookie: [HTTP::header Set-Cookie]"

}

Aaron