Forum Discussion

Chris_Phillips's avatar
Icon for Nimbostratus rankNimbostratus
May 15, 2012

Cookie security - Encryption vs Secure+HttpOnly




We're currently running a tweak version of the rule here on our 10.2 LTM's. it doesn't work well and has never been well integrated into the back end apps. We get multiple cookies with the same name and other ugly mess in general.




Looking to improve our lot here, I'm thinking that it make make more sense to encrypt the cookies rather than screw around with the headers like this. Given that all our domains will come back to one of two LTM pairs for all content, there seems no technical issue in doing this encryption at all, and removes the need for this irule which is... not nice. The lack of direct HttpOnly support in iRules is not great etc, and it seems much cleaner to just say "encrypt those cookies!" and walk away.




Whilst these are clearly different solutions, they seem to provide a similar end result of making the cookies useless outside of out environment.




One thing I'm interested in, is if there is any notable performance hit with the AES workload that this would generate on what can be a very very busy site.




BTW as a little background the iRule was put in fairly recently as a combat to the BEAST attacks, which seems in itself a little wonky to me, as the rule is really for XSS and only serves to benefit possible issues around plaintext MITM attacks when it coes to the areas BEAST is interested in... Hmmm.










2 Replies

  • Hi Chris,



    As you said, HttpOnly is an attempt to mitigate XSS. Encrypting cookies mitigates cookie value tampering and possibly information disclosure if you're using cookie values with meaningful data (as opposed to session IDs, etc). But encryption does nothing to prevent use of another user's cookies by a malicious user.



    There is a fairly significant performance hit with encrypting cookie values so I'd only use it if you're concerned about information disclosure or cookie tampering.



  • By the way, there's an RFE (BZ227347) for adding more native options for setting the HttpOnly and secure flags for cookies being sent in a response. Adding more cases to the request will help raise the visibility of the request.