For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Albert__Tase_70's avatar
Albert__Tase_70
Icon for Nimbostratus rankNimbostratus
May 27, 2009

I need to encrypt a cookie and add the Secure;HttpOnly

I have the following but getting error messages:   when RULE_INIT {   set ::key [AES::key 128]   }   when HTTP_RESPONSE {   set decrypted [HTTP::cookie "secure_cookie"] ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
May 28, 2009
Which version of LTM are you using? For 9.4.0+ you can use the HTTP profile option to encrypt the cookie as described in SOL7784 (Click here). If you're not on 9.4.0+, you can change this:

 

 

HTTP::header insert "Set-Cookie" "COOKIE=secure_cookie;Version=1;Secure;HttpOnly"

 

 

to:

 

 

HTTP::header insert "Set-Cookie" "secure_cookie=$encrypted; Version=1; Secure; HttpOnly"

 

 

Your rule isn't actually doing anything with the encrypted value in HTTP_RESPONSE. So when you try to decrypt the cookie in a subsequent request it will fail as it wasn't encrypted to begin with.

 

 

In general, it helps if you describe what error messages you see.

 

 

Aaron