Forum Discussion

Bob_10976's avatar
Icon for Nimbostratus rankNimbostratus
Jan 03, 2011

iRule to secure All Cookies...

I would like to setup an iRule that secures all cookies that are traverse a specific VIP. I created the below iRule, and assigned it to the only secure VIP we have but it doesn't seem to be working as expected. I believe its looking for a cookie names "ASP.NET_SessionId", I think anyway..

Any suggestions on what I'm doing wrong?

   log local0. "F5DBG: Response Event Triggered" 
   if { [HTTP::cookie exists "ASP.NET_SessionId"] } { 
         log local0. "F5DBG: Found ASP.NET Session Cookie" 
            HTTP::cookie secure "ASP.NET_SessionId" enable } }



8 Replies

  • This iRule does indeed only look for a cookie named "ASP.NET_SessionID". To do all cookies, you'll have to loop through.



    Can you answer the following questions?



    1. When you say secure, do you mean encrypt the value of the cookie, or simply enable the secure flag?


    2. Are we interested in the cookies being sent by pool members or do we need to "secure" the cookie values in inbound requests?
  • Colin's 20 Lines or Less 18 covers this a bit:

    Cookie Encryption Gateway
    If you're looking to encrypt/decrypt ALL cookies going in and out of a virtual in one fell swoop, then here's your solution.  Normal configuration of profiles requires you to state each cookie that's going to be encrypted. This iRule allows you to add or remove cookies from your application at will, while always being sure they're going to be secured.
    when RULE_INIT {
       Exposed passphrase, but this key can be synchronized to the peer LTM
        set ::passphrase "secret"
       Private passphrase, but it isn't synchronized.  On LTM failover to
       its peer, applications relying on the encrypted cookies will break.
         set ::passphrase [AES::key]
    when HTTP_REQUEST {
      foreach { cookieName } [HTTP::cookie names] {
        HTTP::cookie decrypt $cookieName ::passphrase
    when HTTP_RESPONSE {
      foreach { cookieName } [HTTP::cookie names] {
        HTTP::cookie encrypt $cookieName ::passphrase
  • Chris...



    Thanks for the quick reply.. Actually you help me confirm something, since I'm only applying the iRule to "ASP.NET_SessionID" cookie I need to modifiy the iRule to just include one other cookie, at least this time, .ADAuthCookie, cookie.



    I've modified a few iRules to include multiple and/or attributes but not sure about this one..



    Would be very greatfuly if you would mind providing me an example of how to wright this with both cookies getting the secure tag.





  • Heading out shortly. If either I or someone else don't get this done tonight, I'll do it in the morning. So you don't need the cookies decrypted, just to have the secure tag? Can you help me understand the possible names? Will the ASP cookie be exactly that name or will it have something after ASP.NET_SessionID? Is ".AdAuthCookie" the exact name too?
  • Correct, we do not need the cookies decrypted, just have the secure tag. Currently the only two Cookie names will be the "ASP.NET_SessionID" and ".ADAuthCookie". Nothing after the name, the names are exctaly, "ASP.NET_SessionID" and ".ADAuthCookie".



    Thanks again for you help!



  • when HTTP_RESPONSE {
    if { [HTTP::cookie exists "ASP.net_SessionID"] } {
    HTTP::cookie secure "ASP.net_SessionID" enable 
    if { [HTTP::cookie exists ".ADAuthCookie"] } {
    HTTP::cookie secure ".ADAuthCookie" enable }

    The rule does compile so that's a start. See if the functionality works and if it does, I'll clean it up so it's as efficient/pretty as possible. This is simply enables the secure flag on cookies sent from pool members with the two names you mentioned.
  • Thanks Chris.. It seems to work as expected, no errors in the LTM logs..