Cookie security - Encryption vs Secure+HttpOnly
We're currently running a tweak version of the rule here https://devcentral.f5.com/weblogs/J...style.aspx on our 10.2 LTM's. it doesn't work well and has never been well integrated into the back end apps. We get multiple cookies with the same name and other ugly mess in general.
Looking to improve our lot here, I'm thinking that it make make more sense to encrypt the cookies rather than screw around with the headers like this. Given that all our domains will come back to one of two LTM pairs for all content, there seems no technical issue in doing this encryption at all, and removes the need for this irule which is... not nice. The lack of direct HttpOnly support in iRules is not great etc, and it seems much cleaner to just say "encrypt those cookies!" and walk away.
Whilst these are clearly different solutions, they seem to provide a similar end result of making the cookies useless outside of out environment.
One thing I'm interested in, is if there is any notable performance hit with the AES workload that this would generate on what can be a very very busy site.
BTW as a little background the iRule was put in fairly recently as a combat to the BEAST attacks, which seems in itself a little wonky to me, as the rule is really for XSS and only serves to benefit possible issues around plaintext MITM attacks when it coes to the areas BEAST is interested in... Hmmm.