Forum Discussion

Nick_T_68319's avatar
Nick_T_68319
Icon for Nimbostratus rankNimbostratus
Jun 03, 2011

encrypt default persistence cookie

I have been tasked to encrypt the default persistence cookie. I like how it names the cookie BIGipServer+pool name

 

 

I don't really want to create a cookie profile for each of my hundreds of sites, so i modified this iRule I found on devCentral.

 

 

 

Let me know what you guys think, and if you see any issues with this. It seems to work just fine. I have been testing it in pre-production for a few weeks now with no issues.

 

 

 

when CLIENT_ACCEPTED {

 

set cookiename "BIGipServer[LB::server pool]"

 

set encryption_passphrase "xxxxxxxx"

 

}

 

when HTTP_RESPONSE {

 

if { [HTTP::cookie exists $cookiename] } {

 

HTTP::cookie encrypt $cookiename $encryption_passphrase

 

}

 

}

 

when HTTP_REQUEST {

 

if { [HTTP::cookie exists $cookiename] } {

 

set decrypted [HTTP::cookie decrypt $cookiename $encryption_passphrase]

 

if { ($decrypted eq "") } {

 

Cookie wasn't encrypted, delete it

 

HTTP::cookie remove $cookiename

 

}

 

}

 

}

 

 

5 Replies

  • Hi Nick,

     

     

    That looks good. The only other suggestion I have for you is to consider using BIGipServer[LB::server pool] in the HTTP profile cookie encryption field. If we support the TCL command, it would eliminate the need for an iRule.

     

     

    If you try it could you reply back here with the result?

     

     

    Thanks, Aaron
  • i couldn't use BIGipServer[LB::server pool] in http profile cookie encryption field. i'm running 10.2.0.
  • I guess iRule commands aren't supported then in the Cookies to Encrypt field. Thanks for checking. It was worth a try.

     

     

    Aaron
  • maybe someday! I would love to have the option in the http profile to

     

     

    1) change the prefix of the cookie, so you could rename it to something other than BigIpServer

     

     

    2) Be able to encrypt all those cookies without having to specify each one in the profile. That can be a pain to manage if you have hundreds of sites.

     

  • So I applied it to a few sites with no issues, then I applied it to the rest of our sites including some high traffic ones and the CPU usage jumped from 40% to 85-90%... So I ended up rolling it back. Back to the drawing board I guess. Any suggestions on how to optimize this?