For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Albert__Tase_70's avatar
Albert__Tase_70
Icon for Nimbostratus rankNimbostratus
May 27, 2009

I need to encrypt a cookie and add the Secure;HttpOnly

I have the following but getting error messages:

 

when RULE_INIT {

 

set ::key [AES::key 128]

 

}

 

when HTTP_RESPONSE {

 

set decrypted [HTTP::cookie "secure_cookie"]

 

HTTP::cookie remove "secure_cookie"

 

set encrypted [b64encode [AES::encrypt $::key $decrypted]]

 

HTTP::header insert "Set-Cookie" "COOKIE=secure_cookie;Version=1;Secure;HttpOnly"

 

}

 

}

 

when HTTP_REQUEST {

 

set encrypted [HTTP::cookie "secure_cookie"]

 

HTTP::cookie remove "secure_cookie"

 

set decrypted [AES::decrypt $::key [b64decode $encrypted]]

 

HTTP::cookie insert name "secure_cookie" value $decrypted

 

}

 

 

please let me know whats wrong and how to fix it

 

 

 

th
application delivery
dev
devops
iRules

1 Reply

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 28, 2009
    Which version of LTM are you using? For 9.4.0+ you can use the HTTP profile option to encrypt the cookie as described in SOL7784 (Click here). If you're not on 9.4.0+, you can change this:

     

     

    HTTP::header insert "Set-Cookie" "COOKIE=secure_cookie;Version=1;Secure;HttpOnly"

     

     

    to:

     

     

    HTTP::header insert "Set-Cookie" "secure_cookie=$encrypted; Version=1; Secure; HttpOnly"

     

     

    Your rule isn't actually doing anything with the encrypted value in HTTP_RESPONSE. So when you try to decrypt the cookie in a subsequent request it will fail as it wasn't encrypted to begin with.

     

     

    In general, it helps if you describe what error messages you see.

     

     

    Aaron