Forum Discussion
sam_111661
Nimbostratus
NimbostratusHTTP::cookie and decryption
I'm trying to avoid authenticating each and every get / post in the HTTP request using cookies, I would be grateful if anybody could explain to me whats wrong here
The domain is correct, the client receives the cookie and sends it back with the next request but the HTTP::cookie decrypt is not decrypting it correctly, logs are below the iRule. If I disable encrypting / decrypting everything works fine
when CLIENT_ACCEPTED {
set authinsck 0
set forceauth 1
set ckname BIGXAUTH
set ckpass 12345678
set ckvalue [IP::client_addr]
set ckdomain 192.168.1.10
set asid [AUTH::start pam default_ldap]
}
when HTTP_REQUEST {
if {[HTTP::cookie exists $ckname]} {
log "HTTP cookie sent in request is [HTTP::cookie $ckname]"
HTTP::cookie decrypt $ckname $ckpass 128
log "decrypted cookie is: [HTTP::cookie decrypt "$ckname" "$ckpass" 128]"
if {[HTTP::cookie value $ckname] eq $ckvalue} {
set forceauth 0
}
HTTP::cookie remove $ckname
}
if {$forceauth eq 1} {
AUTH::username_credential $asid [HTTP::username]
AUTH::password_credential $asid [HTTP::password]
AUTH::authenticate $asid
HTTP::collect
}
}
when HTTP_RESPONSE {
if {$authinsck eq 1} {
HTTP::cookie insert name $ckname value $ckvalue path / domain $ckdomain
HTTP::cookie secure $ckname enable
HTTP::cookie encrypt $ckname $ckpass 128
log "HTTP cookie sent in response is [HTTP::cookie encrypt $ckname $ckpass 128]"
}
}
when AUTH_SUCCESS {
if {$asid eq [AUTH::last_event_session_id]} {
set authinsck 1
HTTP::release
}
}
Dec 3 00:19:01 tmm tmm[17530]: 01220002:6: Rule http_cookie : HTTP cookie sent in response is ROteWMN4zP5XoReq3pkmwJ4509NFp0OGWXYf/9mdXJaF8xb8IAFZOJby7eZfEqw6T2nZ8DNz0veF2wK1qVrZ5Fm6WmqSzMpMziJbddPDbnVqmPGhmxfESId9zTz+/ntBN58Y/i/+KUNyGQ==
Dec 3 00:19:01 tmm tmm[17530]: 01220002:6: Rule http_cookie : HTTP cookie sent in request is ROteWMN4zP5XoReq3pkmwJ4509NFp0OGWXYf/9mdXJaF8xb8IAFZOJby7eZfEqw6T2nZ8DNz0veF2wK1qVrZ5Fm6WmqSzMpMziJbddPDbnVqmPGhmxfESId9zTz+/ntBN58Y/i/+KUNyGQ==
Dec 3 00:19:01 tmm tmm[17530]: 01220002:6: Rule http_cookie : decrypted cookie is:
- That's quite odd, you're right. The syntax looks correct, and I'm surprised you're not seeing any output from the decrypt command. Are there any other log entries being generated?
Colin 
sam_111661Thanks Colin, can't see anything else in the logs, I'm running this version
BIG-IP Version 9.4.4 94.0
Hotfix HF3 Edition- sam_111661If I use the AES::decrypt everything works fine but I understand from the wiki that the recommended method is HTTP::cookie decrypt
set ::key [AES::key 128]
if {[HTTP::cookie exists $ckname]} {
set encrypted [HTTP::cookie $ckname]
log "cookie sent by client is [HTTP::cookie $ckname]"
set decrypted [AES::decrypt $::key [b64decode $encrypted]]
log "decrypted cookie is $decrypted"
if {$decrypted eq $ckvalue} {
set forceauth 0
}
when HTTP_RESPONSE {
if {$authinsck eq 1} {
set encrypted [b64encode [AES::encrypt $::key $ckvalue]]
HTTP::cookie insert name "$ckname" value $encrypted domain $ckdomain
log "cookie sent by bigip is $encrypted"
}
} - This is a bug in the product. This issue has been resolved in 9.4.5 (CR95909).
- You're right, CR95909 is missing from the release notes for 9.4.5. Probably an oversight. This works fine in stable 9.3.1. Only 9.4.x to 9.4.4 seems to be affected.
Hope this Helps. - sam_111661no encryption / decryption:
+-> HTTP_REQUEST 53 total 0 fail 0 abort
| | Cycles (min, avg, max) = (103344, 167404, 265256)
with encryption / decryption:
+-> HTTP_REQUEST 58 total 0 fail 0 abort
| | Cycles (min, avg, max) = (217545, 12018182, 12121843)
Is this a normal difference in CPU cycles when using encryption / decryption and when not? I'm testing this on a very old box with P3 1GHZ but the number still doesn't make sense, when using the calculator iRulesRuntimeCalculator it showed me that the maximum number of requests would be around 80 while I was able to simulate around 200 users and the CPU load around 40%
