For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ptate_72056's avatar
ptate_72056
Icon for Nimbostratus rankNimbostratus
Jan 23, 2009

Persistence cookies and security

Hi Everyone,     We've recently had a security audit reveal that the BigIP persistence cookie contains the IP address and the port of the node the user connected to.     I can se...
config
design
Skuba_85554's avatar
Skuba_85554
Icon for Nimbostratus rankNimbostratus
Jan 23, 2009
hi hoolio

 

 

we have made use of a config example from the f5 site (shown below)

 

 

just to confirm 100%, does the encrypted cookie prevent the end user from reading the contents of it? i.e. is the IP address of the back end server disguised? or is the cookie simply encrypted in transit to prevent anyone other than the genuine client and server from reading the data?

 

 

thanks

 

 

when CLIENT_ACCEPTED {

 

set cookiename "OurCookie"

 

set encryption_passphrase "OurPassphrase"

 

}

 

when HTTP_RESPONSE {

 

if { [HTTP::cookie exists $cookiename] } {

 

HTTP::cookie encrypt $cookiename $encryption_passphrase

 

}

 

}

 

when HTTP_REQUEST {

 

if { [HTTP::cookie exists $cookiename] } {

 

set decrypted [HTTP::cookie decrypt $cookiename $encryption_passphrase]

 

if { ($decrypted eq "") } {

 

Cookie wasn't encrypted, delete it

 

HTTP::cookie remove $cookiename

 

}

 

}

 

}