For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

karthik_sriniva's avatar
karthik_sriniva
Icon for Nimbostratus rankNimbostratus
Oct 19, 2005

Encrypt Command

Hi guys,   I am trying to encrypt my cookie using HTTP::cookie encrypt command. It works fine, but it affects performance. Without encryption page loads in 0.6 seconds. But with encryption i...
application delivery
dev
devops
iRules
karthik_sriniva's avatar
karthik_sriniva
Icon for Nimbostratus rankNimbostratus
Oct 19, 2005
This is script


when RULE_INIT {
  
}
when CLIENT_ACCEPTED {
}
when HTTP_REQUEST {
  Define cookie variable and is Authentication page isLoginPage variable
  set cookieName "GTWLogin"
  set usernameCookie "GTWUSER"
  set cookieTimeout 15
  set username ""
  set userpwd ""
  set isLoginPage ""  
  set cookieEncPwd "1400"
  set setUserCookie 0
  Define processing variables
  set runRadiusAuthentication 1
  set setCookieDuringResp 0
  set setModAuthHdr 1
  set redirectInd 0
  
  Logging condition
  set debugon 0
  
  Define protected Uri
  set protectedUri "/ll/"
  
  Define unprotected Uri
  set unprotectedUri "/llsupport/"  
  set loginImgUri "/gtwlogin/"
  set unprotectedPage "/gtwlogin/calograd.htm"
  
  Define Radius Authentication identifier
  set asid [AUTH::start pam default_radius]   
  set performAuthId "cGVyZm9ybWF1dGgubWVkaW5zdC5jb20"
  
  Define identifier to choose if login script to be run
  set runCustomLogin 1
  
  set isImageUrl 0
  
  Define logout Uri
  set logout 0
  set logoutPath "/cmd/ICSLogout"
  set logoutPage "/gtwlogin/gtwlogout.htm"
   
   Retrieve all required values
   set cookieDomain [HTTP::host]
   set cookieExists [HTTP::cookie exists $cookieName]
   set ckvalue [HTTP::cookie value $cookieName]
   
   set requestedUri [HTTP::uri]
   set requestedPage [HTTP::path]
   If requested page is logout command ICSLogout   
   if { [HTTP::path] eq $logoutPath } {
       set logout 1
       set runCustomLogin 0
       set setModAuthHdr 0
       set setCookieDuringResp 0
   }
   If requested page is logout page    
   if { $requestedPage eq $logoutPage } {
       set runCustomLogin 0
       set setModAuthHdr 0
       set setCookieDuringResp 0
   }
   If request is for image
   if { [HTTP::path] contains $unprotectedPage || $requestedUri contains $unprotectedUri || $requestedUri contains $loginImgUri || $requestedUri contains ".png" || $requestedUri contains ".gif" || $requestedUri contains ".jpg" || $requestedUri contains ".jpeg" || $requestedUri contains ".css" } {
      set runCustomLogin 0  
      set setModAuthHdr 0
   }
   
   If requested page is protected
   if { [HTTP::uri] contains $protectedUri } {
      set runCustomLogin 1
   }
   
   If cookie exists always run through login script
   if { $cookieExists eq 1 } {
      set runCustonLogin 1
   }
   
   
   
   If the request if for protected uri   
   if { $runCustomLogin ne 0 } {      
      if { $cookieExists } {      
         if { $ckvalue ne "!-100119899091" } {
             HTTP::cookie decrypt $usernameCookie $cookieEncPwd 128
             set username [HTTP::cookie value $usernameCookie]
         } else {
             set username $ckvalue
         }
      }
      set reqdata [HTTP::payload]
      check if it's post from login page
      if { $reqdata contains $performAuthId }
      {
         set runRadiusAuthentication 99
   set tmpUsername [findstr $reqdata "username" 9]
   set username [getfield $tmpUsername "&" 1]   
   set tmppwd [findstr $reqdata "password" 9]
   set userpwd [getfield $tmppwd "&" 1]      
   set isLoginRequested [findstr $reqdata "bigipLogin" 11]
   set isLoginPage [getfield $isLoginRequested "&" 1]               
      }
      log "I am inside runcustomlogin ne 0 $runCustomLogin $runRadiusAuthentication $isLoginPage"
      check if cookie exists but the user had logout already
      if { $cookieExists eq 1 && $ckvalue eq "!-100119899091" && $runRadiusAuthentication ne 99 }
      {
           set redirectInd 99
           set runRadiusAuthentication 0
      }
      check if the session has timeout
      if { $redirectInd ne 99 && $cookieExists eq 1 && $runRadiusAuthentication ne 99} {
   set currenttime [clock seconds]
   set delta [expr $currenttime - $ckvalue]
   if { $delta > 15 } {                      
 set runRadiusAuthentication 0
 set setCookieDuringResp 0
 set setModAuthHdr 0
         set redirectInd 98
   } else {
         set setCookieDuringResp 1
         set runRadiusAuthentication 0
   }
      }
      
       Run radius authentication if runRadiusAuthentication is set to one ||| no Cookie
       if { $runRadiusAuthentication ne 0 && $redirectInd ne 99}
       {
            log "username $username "
            if { $username eq "" || $userpwd eq "" } {
                 set redirectInd 99
            }
            log "About to call authenticate"
            if { $debugon eq 1 } {
       log "Abt to call auth"
    }
    if { $redirectInd ne 99 } {    
         log "About to call authenticate $username : pwd"
         set setModAuthHdr 1
         AUTH::username_credential $asid $username
         AUTH::password_credential $asid $userpwd
         AUTH::authenticate $asid
         if { $redirectInd eq 0 } {
             HTTP::collect       
         }
    }
    log "complete call to auth"
       }   
       set header for mod_auth_anon
       if { $setModAuthHdr eq 1} {
           log "inside mod auth $username"
           set ename [b64encode "$username:\$apr1\$Vk1.....\$fVfqXg8t8iFv.guKLPJdi0"]
           HTTP::header remove Authorization
           HTTP::header insert XAuthorization $ename
           HTTP::header insert Authorization "Basic $ename"
       }             
   }
}
when HTTP_RESPONSE {
   if { $setCookieDuringResp eq 1 } {
     log "setting cookie $requestedUri :: $isImageUrl"
     set cookieval [clock seconds]
     HTTP::cookie insert name $cookieName value $cookieval path / domain $cookieDomain 
     HTTP::cookie encrypt $cookieName $cookieEncPwd 128                             
     HTTP::cookie expires $cookieName $cookieTimeout relative
     
     if { $setUserCookie eq 1 } {
         HTTP::cookie insert name $usernameCookie value [b64encode $username] path / domain $cookieDomain 
         HTTP::cookie insert name $usernameCookie value $username path / domain $cookieDomain 
         HTTP::cookie encrypt $usernameCookie $cookieEncPwd 128                             
         HTTP::cookie discard $usernameCookie enable
         HTTP::cookie expires $usernameCookie $cookieTimeout relative
     }
   }      
   
   if { $redirectInd eq 98 } {
     HTTP::cookie insert name $cookieName value "!-100119899091" path / domain $cookieDomain
     HTTP::cookie insert name $usernameCookie value "!-100119899091" path / domain $cookieDomain
     HTTP::redirect "http://$cookieDomain/gtwlogin/caltimeout.htm"              
   }
   
   if { $redirectInd eq 1 } {
     HTTP::redirect "http://$cookieDomain/gtwlogin/calfail.htm"
   }
   
   if { $redirectInd eq 2 || $redirectInd eq 99} {
     HTTP::redirect "http://$cookieDomain/gtwlogin/calograd.htm"
   }
   
   if { $redirectInd eq 3 } {
     HTTP::redirect "http://$cookieDomain/gtwlogin/calerror.htm"
   }   
   
   if { $logout eq 1 } {     
     HTTP::redirect "http://$cookieDomain/gtwlogin/gtwlogout.htm"
   }
   
   if { $requestedPage eq $logoutPage } {
     HTTP::cookie insert name $cookieName value "!-100119899091" path / domain $cookieDomain
     HTTP::cookie insert name $usernameCookie value "!-100119899091" path / domain $cookieDomain
   }
}
   when AUTH_SUCCESS {
       if { $debugon eq 1 } {
           log "AUTH CALLED"
       }
       if { $asid eq [AUTH::last_event_session_id] }
       {
           set setCookieDuringResp 1  
           set setUserCookie 1
           HTTP::release                  
       }   
   }
   when AUTH_FAILURE {
       if { $asid eq [AUTH::last_event_session_id] }
       {
           set redirectInd 1
           HTTP::release
       }   
   }
   when AUTH_WANTCREDENTIAL {
       if { $debugon eq 1 } {
          log "WANT CRED"
       }
       if { $asid eq [AUTH::last_event_session_id] }
       {
           set redirectInd 2
           HTTP::release
       }   
   }
   when AUTH_ERROR {
       if { $asid eq [AUTH::last_event_session_id] }
       {
           set redirectInd 3
           HTTP::release
       }   
   }