Forum Discussion
flomkrl_29950
Nimbostratus
NimbostratusCookie steal risk ?
Hello,
If an other user catch the BIGIP cookie, is it able to access to the application without authentification ? , i'm refering to IRULE ClientAuthUsingHTMLForms (http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHTMLForms.html)
Or does the authid include source client ip&port info ?
Thanks for your explanation ,
Regards,
flo
3 Replies
HamishCirrocumulus
A couple of small observations about cookies... And this iRule.
1. I don't think the cookie is set aas a 'secure' cookie. So in theory it's vulnerable to attack if it is presented to the site acorss an un-encrypted session
2. The cookie actually contains data... Encrypting it is of dubious use. No encryption of the cookie contents will stop someone from stealing it. It would only stop someone from looking at it & changing it themselves.
Note that in an iRule you're probably not going to get away from 2. Normally you'd keep a session table with the info on the web server and the cookie would be a random value key to look that info up (e.g in a hash table). But iRules don't really provide for that level of control.
Short answer is that there's nothing there to guarantee security. YMMV.
Hamish.
flomkrl_29950Is there any way to make this cookie secure ?
-some suggestion : add source ip on cookie information
Thxs;
Flo
hoolioCirrostratus
If you have clients connecting from behind pools of proxies or that are on DHCP with publich IP addresses, it's possible that their IP address would legitimately change during a session.
As Hamish suggested, using HttpOnly and Secure on cookies can help. Using HTTPS should also help with cookie theft. And you can actually track session data in the LTM session table, but it's no where near as functional as on a typical web application.
Aaron
