Forum Discussion
Albert__Tase_70
Nimbostratus
NimbostratusI need to encrypt a cookie and add the Secure;HttpOnly
I have the following but getting error messages:
when RULE_INIT {
set ::key [AES::key 128]
}
when HTTP_RESPONSE {
set decrypted [HTTP::cookie "secure_cookie"]
HTTP::cookie remove "secure_cookie"
set encrypted [b64encode [AES::encrypt $::key $decrypted]]
HTTP::header insert "Set-Cookie" "COOKIE=secure_cookie;Version=1;Secure;HttpOnly"
}
}
when HTTP_REQUEST {
set encrypted [HTTP::cookie "secure_cookie"]
HTTP::cookie remove "secure_cookie"
set decrypted [AES::decrypt $::key [b64decode $encrypted]]
HTTP::cookie insert name "secure_cookie" value $decrypted
}
please let me know whats wrong and how to fix it
th
hoolioCirrostratus
Which version of LTM are you using? For 9.4.0+ you can use the HTTP profile option to encrypt the cookie as described in SOL7784 (Click here). If you're not on 9.4.0+, you can change this:
HTTP::header insert "Set-Cookie" "COOKIE=secure_cookie;Version=1;Secure;HttpOnly"
to:
HTTP::header insert "Set-Cookie" "secure_cookie=$encrypted; Version=1; Secure; HttpOnly"
Your rule isn't actually doing anything with the encrypted value in HTTP_RESPONSE. So when you try to decrypt the cookie in a subsequent request it will fail as it wasn't encrypted to begin with.
In general, it helps if you describe what error messages you see.
Aaron