Persistence cookies and security

Hi Phil,

 

 

As the client should never need to read or modify this cookie, you can encrypt the cookie value using the 9.4+ HTTP profile option 'Encrypt Cookies'. Enter the name of the cookie and a passphrase to use. Make sure to create a custom HTTP profile rather than modifying the default HTTP profile so this option will only be used on the specific VIP(s) you want it for.

 

 

If you're on an older version of LTM, you could use an iRule to encrypt the cookie value using 'HTTP::cookie encrypt|decrypt' in HTTP_RESPONSE and HTTP_REQUEST, respectively.

 

 

Aaron

hi hoolio

 

 

we have made use of a config example from the f5 site (shown below)

 

 

just to confirm 100%, does the encrypted cookie prevent the end user from reading the contents of it? i.e. is the IP address of the back end server disguised? or is the cookie simply encrypted in transit to prevent anyone other than the genuine client and server from reading the data?

 

 

thanks

 

 

when CLIENT_ACCEPTED {

 

set cookiename "OurCookie"

 

set encryption_passphrase "OurPassphrase"

 

}

 

when HTTP_RESPONSE {

 

if { [HTTP::cookie exists $cookiename] } {

 

HTTP::cookie encrypt $cookiename $encryption_passphrase

 

}

 

}

 

when HTTP_REQUEST {

 

if { [HTTP::cookie exists $cookiename] } {

 

set decrypted [HTTP::cookie decrypt $cookiename $encryption_passphrase]

 

if { ($decrypted eq "") } {

 

Cookie wasn't encrypted, delete it

 

HTTP::cookie remove $cookiename

 

}

 

}

 

}

The cookie data is encrypted and decrypted by the LTM only using the specified key. The client, since it does not have the key, cannot decrypt the cookie, so any data within it is not readable by the client.