Forum Discussion
Encrypted cookies on strict uri
Hi, I need to encrypt my cookies on specific uri,
I have this irule:
when HTTP_RESPONSE {
set myValues [HTTP::cookie names]
foreach mycookies $myValues {
if { [HTTP::cookie version $mycookies] != 1 } {
set ckval [HTTP::cookie value $mycookies]
set ckpath [HTTP::cookie path $mycookies]
HTTP::cookie remove $mycookies
HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1
}
HTTP::cookie secure $mycookies enable
HTTP::cookie httponly $mycookies enable
}
}
But this iRule encrypt all the cookies.
I try that
when HTTP_REQUEST{
set orighost [HTTP::host]
set origuri [HTTP::uri]
set uri1 "/sso"
}
when HTTP_RESPONSE {
set myValues [HTTP::cookie names]
foreach mycookies $myValues {
if { ([HTTP::cookie version $mycookies] != 1 ) and ($origuri starts_with "$uri1") }
{
set ckval [HTTP::cookie value $mycookies]
set ckpath [HTTP::cookie path $mycookies]
HTTP::cookie remove $mycookies
HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1
}
HTTP::cookie secure $mycookies enable
HTTP::cookie httponly $mycookies enable
}
}
But doesn't work,
Can you help to fix that ?
Regards
Hello
Technically, you are not encrypting your cookies, you are encrypting your communication tagging your cookies with "secure".
REF - https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie
REF - https://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie
The rest of the code only replaces the cookie version of all of them.
HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1
Encryption is done by using
HTTP::cookie encrypt <name> <pass phrase> ["128" | "192" | "256"]
---
So, if you need to apply the irule only for queries which has a specific URI, you should do something like this (with the condition containing the whole code).
when HTTP_REQUEST{ set origuri [string tolower [HTTP::uri]] } when HTTP_RESPONSE { set myValues [HTTP::cookie names] if { $origuri starts_with "uri" } { foreach mycookies $myValues { if { [HTTP::cookie version $mycookies] != 1 } { set ckval [HTTP::cookie value $mycookies] set ckpath [HTTP::cookie path $mycookies] HTTP::cookie remove $mycookies HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1 } HTTP::cookie secure $mycookies enable HTTP::cookie httponly $mycookies enable } } }
You can find the meaning of each HTTP::cookie command here
https://clouddocs.f5.com/api/irules/HTTP__cookie.html
KR,
Dario.
Hello
Technically, you are not encrypting your cookies, you are encrypting your communication tagging your cookies with "secure".
REF - https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie
REF - https://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie
The rest of the code only replaces the cookie version of all of them.
HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1
Encryption is done by using
HTTP::cookie encrypt <name> <pass phrase> ["128" | "192" | "256"]
---
So, if you need to apply the irule only for queries which has a specific URI, you should do something like this (with the condition containing the whole code).
when HTTP_REQUEST{ set origuri [string tolower [HTTP::uri]] } when HTTP_RESPONSE { set myValues [HTTP::cookie names] if { $origuri starts_with "uri" } { foreach mycookies $myValues { if { [HTTP::cookie version $mycookies] != 1 } { set ckval [HTTP::cookie value $mycookies] set ckpath [HTTP::cookie path $mycookies] HTTP::cookie remove $mycookies HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1 } HTTP::cookie secure $mycookies enable HTTP::cookie httponly $mycookies enable } } }
You can find the meaning of each HTTP::cookie command here
https://clouddocs.f5.com/api/irules/HTTP__cookie.html
KR,
Dario.
- Jean_MamèneCirrus
Hi Dario,
Thanks for your answer,
The irule on specific URI work.
Thanks
Great! I'm glad to hear this. You are welcome.
I would appreciate if you mark my answer as "the best" or give me some upvote.
KR,
Dario.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com