Forum Discussion
Adrien_Legros_1
Altostratus
AltostratusEncrypt-Decrypt all the cookies on the fly
Our applications use a lot of cookies so I wanted to secure it via an Irule inspired by these i can find in this forum but nothing is working. When I use my Irule or another one, my website doesn't work at all.
Thanks if someone can help me to understand what's wrong with the Irule:
My idea was:
- init a passphrase.
- for each cookie, I encrypt it, remove the older one and I insert the encrypted one (server -> client).
- for each cookie, I decrypt it, remove the older one and I insert the decrypted one. (client -> server)
when RULE_INIT {
set ::cookie_passphrase "123AqwZsx"
}
when HTTP_RESPONSE {
set myValues [HTTP::cookie names]
foreach mycookies $myValues {
log local0. "Cookie $mycookies : Value before encryption is [HTTP::cookie value $mycookies]: "
set encrypted_value [HTTP::cookie encrypt $mycookies $::cookie_passphrase]
log local0. "Encrypted value is $encrypted_value"
HTTP::cookie remove $mycookies
HTTP::cookie insert name $mycookies value $encrypted_value
log local0. "Cookie $mycookies : Send value is [HTTP::cookie value $mycookies]: "
}
}
when HTTP_REQUEST {
set myValues [HTTP::cookie names]
foreach mycookies $myValues {
log local0. "Cookie $mycookies : Received value is [HTTP::cookie value $mycookies]: "
set decrypted_value [HTTP::cookie decrypt $mycookies $::cookie_passphrase]
HTTP::cookie remove $mycookies
HTTP::cookie insert name $mycookies value $decrypted_value
log local0. "Cookie $mycookies : Decrypted value send to backend is [HTTP::cookie value $mycookies]: "
}
}
9 Replies
hoolioCirrostratus
Hi Adrien,
Are there any errors in /var/log/ltm? Can you post anonymized copies of the ltm logs? Which LTM version are you running?
Also, is there ever a case where the app expects that a client should be able to modify a cookie value?
Aaron
Adrien_Legros_1Hello, first thanks for your interest with my problem.
Here is an extract of the LTM log. It seems to work with the cookie cook1 and sometimes there is nothing in it...
And I don't think the client should modify the cookie. If he should, I understand that I could not encrypt-decrypt it on the F5.
Thu Oct 16 14:57:18 CEST 2008 tmm tmm[944] Rule secure_cookie_test HTTP_REQUEST: Cookie cook1 : Received value is GmTM4JrlKFPgC6p1af3uqAiAYbAFIk3l4X3Ff4/rQm7SUmTL7dzZ7rldPauDpZCk1STylq0gaPrVIKFOSlJImklEusM2eIVxZpJGxkGTD7KrCG7qjSlbRBLGZD/WY=:
Thu Oct 16 14:57:18 CEST 2008 tmm tmm[944] Rule secure_cookie_test HTTP_REQUEST: Cookie cook1 : Decrypted value send to backend is 1e1bcc1010b6de32734c584317443b31.00.025c64fa80e0da7e279af9b0bd9212ca:
Thu Oct 16 14:57:18 CEST 2008 tmm tmm[944] Rule secure_cookie_test HTTP_REQUEST: Cookie cook1_wat_2Enbb2Ebe_2F : Received value is QVNQLk5FVF9TZXNzaW9uSWQ_?4b284dd5eaf9f32ef409c86291a232d1:
Thu Oct 16 14:57:18 CEST 2008 tmm tmm[944] Rule secure_cookie_test HTTP_REQUEST: Cookie cook1_wat_2Enbb2Ebe_2F : Decrypted value send to backend is :
Thu Oct 16 14:57:18 CEST 2008 tmm tmm[944] Rule secure_cookie_test HTTP_REQUEST: Cookie ns_cookietest : Received value is true:
Thu Oct 16 14:57:18 CEST 2008 tmm tmm[944] 01220001 TCL error: Rule secure_cookie_test HTTP_REQUEST - Out of bounds line 1 invoked from within HTTP::cookie decrypt $mycookies $::cookie_passphrase foreach body line 3 invoked from within foreach mycookies $myValues { log local0. Cookie $mycookies : Received value is [HTTP::cookie value $mycookies]: set decrypted_value [HTTP::co...
Thu Oct 16 14:57:33 CEST 2008 tmm tmm[944] Rule secure_cookie_test HTTP_REQUEST: Cookie nbbrpid : Received value is GmTM4JrlKFPgC6p1af3uqAiAYbAFIk3l4X3Ff4/rQm7SUmTL7dzZ7rldPauDpZCk1STylq0gaPrVIKFOSlJImklEusM2eIVxZpJGxkGTD7KrCG7qjSlbRBLGZD/WY=:
Thu Oct 16 14:57:33 CEST 2008 tmm tmm[944] Rule secure_cookie_test HTTP_REQUEST: Cookie nbbrpid : Decrypted value send to backend is 1e1bcc1010b6de32734c584317443b31.00.025c64fa80e0da7e279af9b0bd9212ca:
Thu Oct 16 14:57:33 CEST 2008 tmm tmm[944] Rule secure_cookie_test HTTP_REQUEST: Cookie nbbrpid_wat_2Enbb2Ebe_2F : Received value is QVNQLk5FVF9TZXNzaW9uSWQ_?4b284dd5eaf9f32ef409c86291a232d1:
Thu Oct 16 14:57:33 CEST 2008 tmm tmm[944] Rule secure_cookie_test HTTP_REQUEST: Cookie nbbrpid_wat_2Enbb2Ebe_2F : Decrypted value send to backend is :
Thu Oct 16 14:57:33 CEST 2008 tmm tmm[944] Rule secure_cookie_test HTTP_REQUEST: Cookie ns_cookietest : Received value is true:
Thu Oct 16 14:57:33 CEST 2008 tmm tmm[944] 01220001 TCL error: Rule secure_cookie_test HTTP_REQUEST - Out of bounds line 2 invoked from within HTTP::cookie decrypt $mycookies $::cookie_passphrase foreach body line 3 invoked from within foreach mycookies $myValues { log local0. Cookie $mycookies : Received value is [HTTP::cookie value $mycookies]: set decrypted_value [HTTP::co...- Adrien_Legros_1I understood that the encryption did not work on the boolean value to test if the cookies are sen. So, I've modified my code:
One cookie is well encrypted but the others are sent in clear...that's what I dont understand... No more errors in the LTM logs..
when RULE_INIT {
set ::cookie_passphrase "123AqwZsx"
}
when HTTP_RESPONSE {
log local0. "reponse1"
set myValues [HTTP::cookie names]
foreach mycookies $myValues {
if {$mycookies ne "ns_cookietest"}{
log local0. "Cookie $mycookies : Value before encryption is [HTTP::cookie value $mycookies]: "
set encrypted_value [HTTP::cookie encrypt $mycookies $::cookie_passphrase]
log local0. "Encrypted value is $encrypted_value"
HTTP::cookie remove $mycookies
HTTP::cookie insert name $mycookies value $encrypted_value
log local0. "Cookie $mycookies : Send value is [HTTP::cookie value $mycookies]: "
}
}
}
when HTTP_REQUEST {
set myValues [HTTP::cookie names]
foreach mycookies $myValues {
if {$mycookies ne "ns_cookietest"}{
log local0. "Cookie $mycookies : Received value is [HTTP::cookie value $mycookies]: "
set decrypted_value [HTTP::cookie decrypt $mycookies $::cookie_passphrase]
HTTP::cookie remove $mycookies
HTTP::cookie insert name $mycookies value $decrypted_value
log local0. "Cookie $mycookies : Decrypted value send to backend is [HTTP::cookie value $mycookies]: "
}
}
} - hoolioCan you post the logs from a full request/response/request loop where the client makes a new request with no cookies, the app sets one or more and then the client makes a second request with the cookie(s)?
Can you also check the application log to see what cookies LTM is actually including in the proxied request?
Thanks,
Aaron - Adrien_Legros_1First request :
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: fr-be,nl-be;q=0.5
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; custom; EmbeddedWB 14,52 from: http://www.bsalsa.com/ EmbeddedWB 14,52; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; InfoPath.2; custom; custom)
Host: www-test.be
Connection: Keep-Alive
Cookie: cook1_wlf_%2X%2Ebe_%2F=d2NvX3dlYnNpdGU_?0190f8a8f762916c71a08f02dbd1eedf; __utma=137988534.2036467364596942600.1224164176.1224164176.1224164176.1; __utmb=137988534.1.10.1224164176; __utmz=137988534.1224164176.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
response:
....
Set-Cookie: cook1=1e1bcc1010b6de32734c584317443b31.00.b4c9d0e1eeb6a643fa3704930bcce80d; domain=.X.be; path=/
....
Second request with the cookies on my client:
....
Cookie: nbbrpid_wlf_%2X%2Ebe_%2F=d2NvX3dlYnNpdGU_?0190f8a8f762916c71a08f02dbd1eedf; cook1=1e1bcc1010b6de32734c584317443b31.00.a25aec8bff1a72dd30e197dd08f85656; __utma=137988534.2036467364596942600.1224164176.1224164176.1224164297.2; __utmb=137988534.1.10.1224164297; __utmz=137988534.1224164176.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ns_cookietest=true; ns_session=true; __utmc=137988534
Response:
Set-Cookie: cook1_wat_%2X%2Ebe_%2F=QVNQLk5FVF9TZXNzaW9uSWQ_?f44df5b292c91c84cf313fd96395178f; domain=.X.be; path=/
Cook1 is well encrypted - decrypted but nothing happens with the others. - Adrien_Legros_1I d'ont have access to the application logs...sorry
- Adrien_Legros_1First time I come to the website, everything works. It says that it is a new request.. but when I click on a link or refresh the page, nothing appears and here are the errors in the LTM:
I thought I red on the forum that the encrypt-decrypt will not change the cookie but only return a value. Thanks for your information.
Why did you add "or 1" in the if test ?
Thanks again for your help !!!
Mon Oct 20 08:14:47 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid_wlf_2Enbb2Ebe_2F, original value: d2NvX3dlYnNpdGU_?0190f8a8f762916c71a08f02dbd1eedf
Mon Oct 20 08:14:47 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid_wlf_2Enbb2Ebe_2F, decrypted value sent to server: d2NvX3dlYnNpdGU_?0190f8a8f762916c71a08f02dbd1eedf, $decrypted_value:
Mon Oct 20 08:14:47 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie ns_cookietest, original value: true
Mon Oct 20 08:14:47 CEST 2008 tmm tmm[944] 01220001 TCL error: Rule Secure_Cookie HTTP_REQUEST - Out of bounds line 5 invoked from within HTTP::cookie decrypt $cookie_name $::cookie_passphrase foreach body line 7 invoked from within foreach cookie_name [HTTP::cookie names] { if {$cookie_name ne ns_cookietest or 1}{ log local0. Cookie $cookie_name, original ...
Mon Oct 20 08:14:48 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: 10.33.1.8:2303: New request to www-test.nbb.be/pub/02_00_00_00_00/02_01_00_00_00/02_01_01_00_00.htm?l=enn=1 with 8 cookies
Mon Oct 20 08:14:48 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid, original value: 1e1bcc1010b6de32734c584317443b31.00.a5e62aacf3631cab4abf5a196075b1d8
Mon Oct 20 08:14:48 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid, decrypted value sent to server: 1e1bcc1010b6de32734c584317443b31.00.a5e62aacf3631cab4abf5a196075b1d8, $decrypted_value:
Mon Oct 20 08:14:48 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid_wlf_2Enbb2Ebe_2F, original value: d2NvX3dlYnNpdGU_?0190f8a8f762916c71a08f02dbd1eedf
Mon Oct 20 08:14:48 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid_wlf_2Enbb2Ebe_2F, decrypted value sent to server: d2NvX3dlYnNpdGU_?0190f8a8f762916c71a08f02dbd1eedf, $decrypted_value:
Mon Oct 20 08:14:48 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie ns_cookietest, original value: true
Mon Oct 20 08:14:48 CEST 2008 tmm tmm[944] 01220001 TCL error: Rule Secure_Cookie HTTP_REQUEST - Out of bounds line 5 invoked from within HTTP::cookie decrypt $cookie_name $::cookie_passphrase foreach body line 7 invoked from within foreach cookie_name [HTTP::cookie names] { if {$cookie_name ne ns_cookietest or 1}{ log local0. Cookie $cookie_name, original ...
Mon Oct 20 08:14:50 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: 10.33.1.8:2306: New request to www-test.nbb.be/ with 8 cookies
Mon Oct 20 08:14:50 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid, original value: 1e1bcc1010b6de32734c584317443b31.00.a5e62aacf3631cab4abf5a196075b1d8
Mon Oct 20 08:14:50 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid, decrypted value sent to server: 1e1bcc1010b6de32734c584317443b31.00.a5e62aacf3631cab4abf5a196075b1d8, $decrypted_value:
Mon Oct 20 08:14:50 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid_wlf_2Enbb2Ebe_2F, original value: d2NvX3dlYnNpdGU_?0190f8a8f762916c71a08f02dbd1eedf
Mon Oct 20 08:14:50 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid_wlf_2Enbb2Ebe_2F, decrypted value sent to server: d2NvX3dlYnNpdGU_?0190f8a8f762916c71a08f02dbd1eedf, $decrypted_value:
Mon Oct 20 08:14:50 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie ns_cookietest, original value: true
Mon Oct 20 08:14:50 CEST 2008 tmm tmm[944] 01220001 TCL error: Rule Secure_Cookie HTTP_REQUEST - Out of bounds line 5 invoked from within HTTP::cookie decrypt $cookie_name $::cookie_passphrase foreach body line 7 invoked from within foreach cookie_name [HTTP::cookie names] { if {$cookie_name ne ns_cookietest or 1}{ log local0. Cookie $cookie_name, original ...
Mon Oct 20 08:14:50 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: 10.33.1.8:2307: New request to www-test.nbb.be/ with 8 cookies
Mon Oct 20 08:14:50 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid, original value: 1e1bcc1010b6de32734c584317443b31.00.a5e62aacf3631cab4abf5a196075b1d8
Mon Oct 20 08:14:50 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid, decrypted value sent to server: 1e1bcc1010b6de32734c584317443b31.00.a5e62aacf3631cab4abf5a196075b1d8, $decrypted_value:
Mon Oct 20 08:14:50 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid_wlf_2Enbb2Ebe_2F, original value: d2NvX3dlYnNpdGU_?0190f8a8f762916c71a08f02dbd1eedf
Mon Oct 20 08:14:50 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid_wlf_2Enbb2Ebe_2F, decrypted value sent to server: d2NvX3dlYnNpdGU_?0190f8a8f762916c71a08f02dbd1eedf, $decrypted_value:
Mon Oct 20 08:14:50 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie ns_cookietest, original value: true
Mon Oct 20 08:14:50 CEST 2008 tmm tmm[944] 01220001 TCL error: Rule Secure_Cookie HTTP_REQUEST - Out of bounds line 5 invoked from within HTTP::cookie decrypt $cookie_name $::cookie_passphrase foreach body line 7 invoked from within foreach cookie_name [HTTP::cookie names] { if {$cookie_name ne ns_cookietest or 1}{ log local0. Cookie $cookie_name, original ...
Mon Oct 20 08:14:53 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: 10.33.1.8:2309: New request to www-test.nbb.be/ with 8 cookies
Mon Oct 20 08:14:53 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid, original value: 1e1bcc1010b6de32734c584317443b31.00.a5e62aacf3631cab4abf5a196075b1d8
Mon Oct 20 08:14:53 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid, decrypted value sent to server: 1e1bcc1010b6de32734c584317443b31.00.a5e62aacf3631cab4abf5a196075b1d8, $decrypted_value:
Mon Oct 20 08:14:53 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid_wlf_2Enbb2Ebe_2F, original value: d2NvX3dlYnNpdGU_?0190f8a8f762916c71a08f02dbd1eedf
Mon Oct 20 08:14:53 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie nbbrpid_wlf_2Enbb2Ebe_2F, decrypted value sent to server: d2NvX3dlYnNpdGU_?0190f8a8f762916c71a08f02dbd1eedf, $decrypted_value:
Mon Oct 20 08:14:53 CEST 2008 tmm tmm[944] Rule Secure_Cookie HTTP_REQUEST: Cookie ns_cookietest, original value: true
Mon Oct 20 08:14:53 CEST 2008 tmm tmm[944] 01220001 TCL error: Rule Secure_Cookie HTTP_REQUEST - Out of bounds line 5 invoked from within HTTP::cookie decrypt $cookie_name $::cookie_passphrase foreach body line 7 invoked from within foreach cookie_name [HTTP::cookie names] { if {$cookie_name ne ns_cookietest or 1}{ log local0. Cookie $cookie_name, original ... - hoolioHi Adrien,
The 'or 1' I added was just to quickly test the rule you were using. I should have removed that part before posting the example.
If the example isn't working and you're getting a TCL error, you could open a case with F5 Support to ask what is causing the error. The only other time I've seen that error is when modifying the HTTP payload with an invalid offset specified for the replacement. I don't think that's relevant for this rule.
Aaron - Adrien_Legros_1Thank you very very much for all your help. I'll contact F5 support.
Thanks again !
