For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Siva_107534's avatar
Siva_107534
Icon for Nimbostratus rankNimbostratus
Dec 28, 2009

How to encrypt the cookies generated by LTM?

Hi All,   How to encrypt the cookie information generated by LTM in the browser, becoz   by default cookies in the browser displays the Internal Pool IP of web servers   accessed...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 11, 2010
That's a cool site. Here's the iRule code:

 

 


TCL error: Rule Enterprise_F5_Fix_with_E35-THD_cookie_encrypt HTTP_REQUEST - cant read cookie: no such variable while executing HTTP::cookie value $cookie 



when CLIENT_ACCEPTED {
    Define an AES encryption key. A 128 bit (or larger) key is recommended. 
    You can use a key generator, or create your own using only HEX characters.
   set aes_key "63544a5e7178677b45366b4140"

    Name of the cookie to encrypt/decrypt
   set cookie "app_cookie"

    Log debug messages to /var/log/ltm?  1=yes, 0=no.
   set cookie_encryption_debug 0
}
when HTTP_REQUEST {
    If the error cookie exists with any value, for any requested object, try to decrypt it
   if {[string length [HTTP::cookie value $cookie]]}{

      if {$cookie_encryption_debug}{log local0. \
         "Original error cookie value: [HTTP::cookie value $cookie]"}

       URI decode the value (catching any errors that occur when trying to 
       decode the cookie value and save the output to cookie_uri_decoded)
      if {not ([catch {URI::decode [HTTP::cookie value $cookie]} cookie_uri_decoded])}{

          Log that the cookie was URI decoded
         if {$cookie_encryption_debug}{log local0. "\$cookie_uri_decoded was set successfully"}

          Decrypt the value
         if {not ([catch {AES::decrypt $aes_key $cookie_uri_decoded} cookie_decrypted])}{

             Log the decrypted cookie value
            if {$cookie_encryption_debug}{log local0. "\$cookie_decrypted: $cookie_decrypted"}
         } else {

             URI decoded value couldn't be decrypted.
         }
      } else {
          Cookie value couldn't be URI decoded
      }
   } else {
       Cookie wasn't present in the request
   }
if {[HTTP::uri] ends_with ".asmx?WSDL"}{
set rewrite 1
if { [HTTP::version] eq "1.1" } {
HTTP::version "1.0"
}
} else {
set rewrite 0
}
switch [getfield [string tolower [HTTP::uri]] "/" 2] {
         appe21test {pool test.app_EE_20 }
                  appe21 { pool www.company.com_e20 }
                  appe30 { pool www.company.com_e30 }
                  appe30test { pool www.company.com_e30test }                
                  se08q4 { pool www.company.com_08q4 }  
                  
              }
}
when HTTP_RESPONSE {
    Check if response contains an error cookie with a value
   if {[string length [HTTP::cookie value $cookie]] > 0}{

       Log the original error cookie value from the app
      if {$cookie_encryption_debug}{log local0. \
         "Response from app contained our cookie: [HTTP::cookie value $cookie]"}

       Encrypt the cookie value so the client can't change the value
      HTTP::cookie value $cookie [URI::encode [AES::encrypt $aes_key [HTTP::cookie value $cookie]]]

       Log the encoded and encrypted error cookie value
      if {$cookie_encryption_debug}{log local0. \
        "Encrypted error cookie to: [URI::encode [AES::encrypt $aes_key [HTTP::cookie value $cookie]]]"}
   }
if {$rewrite == 1}{
 collect payload for URI replacement
if {[HTTP::header exists Content-Length]}{
set clength [HTTP::header Content-Length]
} else {
set clength 4294967295
}
if { !($clength == 0) } {
HTTP::collect $clength
}
}
}
when HTTP_RESPONSE_DATA {
set payload [HTTP::payload]
regsub -all {(
 
  
 Aaron