For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tom_Lauwereins_'s avatar
Tom_Lauwereins_
Icon for Nimbostratus rankNimbostratus
Apr 11, 2019

LTM/ASM Prevent session hijacking using an iRule

Hello all   We have noticed a security issue on our sharepoint website. If a hacker manages to steal someone's FedAuth cookie (Sharepoint proprietary) and the TS* cookie (ASM), the ASM policy will...
application delivery
iRules
LTM
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Apr 11, 2019

Hi Tom Lauwereins,

back in the days I wrote an iRule to use non-cookie information (e.g. Certificate, Source-IP) to protect sensitive session cookie information.

High Performance HMAC Cookie Signing

https://devcentral.f5.com/codeshare/high-performance-hmac-cookie-signing

Note: Use the 

CLIENT_ACCEPTED
event of the provided iRule to use the client IP address as cookie binding. Change the cookie names in the 
RULE_INIT
event to match your FedAuth cookie and enter a unique and random key for HMAC operations.

Note: Before using the HMAC verification iRule make sure to analyse your FedAuth cookie. If the FedAuth cookie value changes on every single response, then you should NOT use the iRule.

Note: Instead of using HMAC-verification (my solution uses RAM caches to speed up the verification) you could also develop an iRule which uses symetric encryption (this will require slightly more CPU instead of using RAM). The iRule would need to parse the response from your servers and intercept those requests which are setting the FedAuth cookie. You could then encrypt the cookie information in combination with the client IP (either as a pre- or suffix) before sending to the client. Whenenver the client sends the encrypted cookie on subsequent request to your F5, you need to decrypt it, verify the embedded client IP and finally inject the original cookie value back to the request.

Cheers, Kai