I currently utilize a static key value to create a custom encrypted cookie to validate user session authenticity via cookie values. I would like to move over to using an HMAC solution, but having issues with the currently provided example. I am currently running 10.2 code on my LTM, so some of the current information on 11.x using new commands is irrelevant. Does anyone have an example laying around or can translate the example at https://devcentral.f5.com/codeshare/hmac for me? Thanks

Hi Dtwesten, the mentioned codeshare sample seems to use just commands, that where already available on 10.2 plattforms. Did you already tried this sample on your box? Any TCL related error messages received? Cheers, Kai

Nothing yet.. The example didn't really define with comments what the values mean. For example, I believe the message variable is the data I want encrypted and that the token is the output. This could be just an issue of me reading up on HMAC, so just trying to see if someone has a full blown example of how they used it for say... user session authentication or validation.. Make sense? Thanks for replying so quickly

Hi dtwesten, regarding hmac codeshare example, I remember implementing it based on algorithm found on hmac wiki https://en.wikipedia.org/wiki/Hash-based_message_authentication_code the hash result in binary is stored in variable "token" the hash result in hex string is stored in variable "hextoken" Nat

On the first sight i would say that $message is the message to be authenticated and $input is your secret key. You may also take a look to the available Google-Authenticator iRule samples, to see some real world examples. GA tokens are using HMAC-SHA1 calculations. Cheers, Kai

Since Nat Thirasuttakorn is aware of your question, I would leave the conversation now. I guess its far more effective if he answers any questions regarding his code... ;-) Good luck with your development and Cheers, Kai

F5 iRule Example integrating HMAC

30 Replies

gpoverland
Nimbostratus
Feb 16, 2016
Sure.. It was an off-the-wall idea a friend and I had, so glad to put it out there for others to enjoy. I am just glad you had the chops to code it. My attempts were too ugly for the public eye (Network guy coding = very ugly code)...
gpoverland
Nimbostratus
Feb 16, 2016
Kai.. quick question on the logic. It looks like you are validating the cached hmac_values hash against the hmac_cookie value when the two cookies (application cookie and hmac cookie are present). This compares the hash of the two values instead of the values that made the hash. Do you think there is a concern since the actual hashed value is being passed as a cookie? Wouldn't you want to compare the values or is verification of the hash enough validation? Is there any reason you are not rejecting the session from being established or do you see removing the cookie as a forcing function (just scared of creating a scenario where there is an endless cycle of connection attempts with no failure). Lastly, in the response, you used http::header insert instead of http::cookie insert. I know the header command is the older version, but is their a reason you went with header insert? Thanks
Kai_Wilke
MVP
Feb 16, 2016
Hey Devon,

Doesn't this present a hole in the security, or is comparing the hashed value the check?

The HMAC security check is indeed just a compare funtion.

You compute the HMAC token on each Set-Cookie so that the client gets the fitting HMAC cookie for its APP cookie at the very same time.

On each request you'll then either use the cached HMAC token (cache key = app cookie and X509) or a fresh computed HMAC token (always computable based on the app cookie and X509) to compare it with the received HMAC cookie value.

Also, noticed if the applicaiton cookie or hmac cookie returns nothing, you create a new one. Is there any reason we are not rejecting the session from being established or do you see removing the cookie as a forcing function

Rejecting the session would be to agressive and cause the client to never get the initial app and hamc cookie.

But I do remove the cookie evertime the client is sending just the app cookie or if the hmac and app cookie simply doesn't match. Removing the cookie is the same as the client didn't received/send it. So the application have to issue a new one (after reauthentication, etc.) and while the new Set-Cookie is passed to the client a fresh HMAC cookie is injected to the client again.

So this shouldn't loop as long as nobody is trying to manipulate either of the cookie values.

Note: Don't spend much time in this outdated code. My latest version is much more advanced and easier to understand. I hope to get my testings done till end of the week. I'll then publish the v10 and v11 version to the code share. So stay tuned... ;-)

Cheers, Kai
Kai_Wilke
MVP
Feb 20, 2016
Hi Devon,

I've just published my latest code to the CodeShare...

High Performance HMAC Cookie Signing

https://devcentral.f5.com/codeshare/high-performance-hmac-cookie-signing

High Performance HMAC Cookie Signing (for v10.x)

https://devcentral.f5.com/codeshare/high-performance-hmac-cookie-signing-for-v10x

Let me know if you have any questions left... ;-)

Cheers, Kai

Forum Discussion

F5 iRule Example integrating HMAC

30 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Any way to cache HEAD request

can you help with getting a BigIP virtual edition serial key

VIP in https that redirect to another vip in https

In Using the AST tool am I pointing it to TENANTS or to the F5OS(hardware) I have?

2026 is Almost Here

Related Content

Time based iRule example

APM variable assign examples

F5 NGINX Automation Examples [Part 2: Deploying NGINXaaS with App Protect and Grafana Integration]

Identity-centric F5 ADSP Integration Walkthrough

Irule Example Issue

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS