Forum Discussion
Bob_10976
Nimbostratus
Jan 03, 2011iRule to secure All Cookies...
I would like to setup an iRule that secures all cookies that are traverse a specific VIP. I created the below iRule, and assigned it to the only secure VIP we have but it doesn't seem to be working as expected. I believe its looking for a cookie names "ASP.NET_SessionId", I think anyway..
Any suggestions on what I'm doing wrong?
when HTTP_RESPONSE {
log local0. "F5DBG: Response Event Triggered"
if { [HTTP::cookie exists "ASP.NET_SessionId"] } {
log local0. "F5DBG: Found ASP.NET Session Cookie"
HTTP::cookie secure "ASP.NET_SessionId" enable } }
Thanks,
Bob
- Chris_Miller
Altostratus
This iRule does indeed only look for a cookie named "ASP.NET_SessionID". To do all cookies, you'll have to loop through. - Chris_Miller
Altostratus
Colin's 20 Lines or Less 18 covers this a bit:Cookie Encryption Gateway If you're looking to encrypt/decrypt ALL cookies going in and out of a virtual in one fell swoop, then here's your solution. Normal configuration of profiles requires you to state each cookie that's going to be encrypted. This iRule allows you to add or remove cookies from your application at will, while always being sure they're going to be secured. when RULE_INIT { Exposed passphrase, but this key can be synchronized to the peer LTM set ::passphrase "secret" Private passphrase, but it isn't synchronized. On LTM failover to its peer, applications relying on the encrypted cookies will break. set ::passphrase [AES::key] } when HTTP_REQUEST { foreach { cookieName } [HTTP::cookie names] { HTTP::cookie decrypt $cookieName ::passphrase } } when HTTP_RESPONSE { foreach { cookieName } [HTTP::cookie names] { HTTP::cookie encrypt $cookieName ::passphrase } }
- Bob_10976
Nimbostratus
Chris... - Chris_Miller
Altostratus
Heading out shortly. If either I or someone else don't get this done tonight, I'll do it in the morning. So you don't need the cookies decrypted, just to have the secure tag? Can you help me understand the possible names? Will the ASP cookie be exactly that name or will it have something after ASP.NET_SessionID? Is ".AdAuthCookie" the exact name too? - Bob_10976
Nimbostratus
Correct, we do not need the cookies decrypted, just have the secure tag. Currently the only two Cookie names will be the "ASP.NET_SessionID" and ".ADAuthCookie". Nothing after the name, the names are exctaly, "ASP.NET_SessionID" and ".ADAuthCookie".- Phani_Teja_Para
Nimbostratus
I missed the Secure Tag irule. Can you help me with it?
- Chris_Miller
Altostratus
when HTTP_RESPONSE { if { [HTTP::cookie exists "ASP.net_SessionID"] } { HTTP::cookie secure "ASP.net_SessionID" enable } if { [HTTP::cookie exists ".ADAuthCookie"] } { HTTP::cookie secure ".ADAuthCookie" enable } }
- Bob_10976
Nimbostratus
Thanks Chris.. It seems to work as expected, no errors in the LTM logs..
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects