Forum Discussion
NimbostratusLTM/ASM Prevent session hijacking using an iRule
MVPHi Tom Lauwereins,
back in the days I wrote an iRule to use non-cookie information (e.g. Certificate, Source-IP) to protect sensitive session cookie information.
High Performance HMAC Cookie Signing
https://devcentral.f5.com/codeshare/high-performance-hmac-cookie-signing
Note: Use the
event of the provided iRule to use the client IP address as cookie binding. Change the cookie names in the CLIENT_ACCEPTED
event to match your FedAuth cookie and enter a unique and random key for HMAC operations.RULE_INIT
Note: Before using the HMAC verification iRule make sure to analyse your FedAuth cookie. If the FedAuth cookie value changes on every single response, then you should NOT use the iRule.
Note: Instead of using HMAC-verification (my solution uses RAM caches to speed up the verification) you could also develop an iRule which uses symetric encryption (this will require slightly more CPU instead of using RAM). The iRule would need to parse the response from your servers and intercept those requests which are setting the FedAuth cookie. You could then encrypt the cookie information in combination with the client IP (either as a pre- or suffix) before sending to the client. Whenenver the client sends the encrypted cookie on subsequent request to your F5, you need to decrypt it, verify the embedded client IP and finally inject the original cookie value back to the request.
Cheers, Kai
