For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 14, 2007

Manipulating a decrypted cookie value using HTTP::cookie decrypt

Hi,     I'm running into an issue on 9.2.4 when trying to get and potentially manipulate the unencrypted value of a cookie. I encrypt the cookie sent in the response using HTTP::cookie encrypt ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jan 17, 2008
Actually, it does look like the cookie value is modified by the encrypt and decrypt functions. I was getting confused by the HTTP::header and HTTP::cookie values being cached. You can decrypt the cookie value and save the output to a variable to workaround the problem with difficulty of cached values.

For example, using two different priorities shows the true value of the cookie changing without explicitly setting the cookie value to the output of HTTP::cookie encrypt.


when RULE_INIT {
   set ::cookie_passphrase "some phrase"
   set ::cookie_name "cookie_name"
   set ::cookie_value "cookie_value"
}
when HTTP_REQUEST priority 500 {
   
   HTTP::cookie insert name $::cookie_name value $::cookie_value
   log local0. "500 Unencrypted cookie value: [HTTP::cookie value $::cookie_name]"
    Encrypt cookie and save the encrypted value
   set encrypted_value [HTTP::cookie encrypt $::cookie_name $::cookie_passphrase]
   log local0. "500 \$encrypted_value: $encrypted_value"
   log local0. "500 Correct cookie header value: [HTTP::header value Cookie]"
   log local0. "500 Cached cookie value: [HTTP::cookie value $::cookie_name]"
}
when HTTP_REQUEST priority 501 {
   log local0. "501 Encrypted test cookie value: [HTTP::cookie value $::cookie_name]"
   log local0. "501 Cookie header with encrypted value: [HTTP::header value Cookie]"
}
when HTTP_REQUEST priority 502 {
    Encrypt cookie and save the encrypted value
   set decrypted_value [HTTP::cookie decrypt $::cookie_name $::cookie_passphrase]
   log local0. "502 \$decrypted_value: $decrypted_value"
   log local0. "502 Decrypted cookie header value: [HTTP::header value Cookie]"
   log local0. "502 Decrypted cookie value: [HTTP::cookie value $::cookie_name]"
}

Log output:

: 500 Unencrypted cookie value: cookie_value: 500 $encrypted_value: f3lzsw7kqxIeu2vI6yy8eCITlBtuGboyFJ5D1ES0tzpxA98XJ90P: 500 Correct cookie header value: cookie_name=f3lzsw7kqxIeu2vI6yy8eCITlBtuGboyFJ5D1ES0tzpxA98XJ90P;: 500 Cached cookie value: cookie_value: 501 Encrypted test cookie value: f3lzsw7kqxIeu2vI6yy8eCITlBtuGboyFJ5D1ES0tzpxA98XJ90P: 501 Cookie header with encrypted value: cookie_name=f3lzsw7kqxIeu2vI6yy8eCITlBtuGboyFJ5D1ES0tzpxA98XJ90P;: 502 $decrypted_value: cookie_value: 502 Decrypted cookie header value: cookie_name=cookie_value;: 502 Decrypted cookie value: cookie_value

Aaron