iRule: Securing Cookies

So, you've got yourself some info that you want to stash in a cookie. The problem is that cookie contents are stored in HTTP headers which can be snooped on by those out there you want to keep the contents away from.

Sure, you could encrypt your session with SSL. That would stop those sniffing on the wire, but the cookie is then stored on the clients disk in clear text.

So, you may ask, how easy is it to secure the contents of a cookie? We'll, thanks to BIG-IP v9.x, it's VERY easy. With a simple iRule, you can do so with a few strokes of the keyboard.

Here's a simple iRule that will do that for you. First at rule initialization, we'll generate a unique encryption key:

when RULE_INIT {
   # Generate Unique Key
   set ::key [AES::key]
}

Next, for a HTTP Response that contains the cookie (in this example, the name of the cookie is "MyCookie"), we'll encrypt it and replace the value with the encrypted value of the original.

when HTTP_RESPONSE {
   set decrypted [HTTP::cookie "MyCookie"]
   if { "" ne $decrypted } {
      # remove the original cookie, encrypt it, and then insert the encrypted value
      HTTP::cookie remove "MyCookie"
      set encrypted [b64encode [AES::encrypt $::key $decrypted]]
      HTTP::cookie insert name "MyCookie" value $encrypted
   }
}

Now, when the client makes a subsequent request, we'll check for the encrypted version of the cookie. If it exists, then decrypt it and replace the encrypted value with it's decrypted counterpart.

when HTTP_REQUEST {
   set encrypted [HTTP::cookie "MyCookie"]
   if { "" ne $encrypted } { 
      # remove encrypted cookie, decrypt it, and insert the decrypted value.
      HTTP::cookie remove "MyCookie"
      set decrypted [AES::decrypt $::key [b64decode $encrypted]]
      HTTP::cookie insert name "MyCookie" value $decrypted
   }
}

Pretty simple huh?

-Joe

 

[Listening to: Be Like That - 3 Doors Down - The Better Life (04:26)]
Published Nov 09, 2005
Version 1.0
  • You gain the protection from a man-in-the-middle attack where a 3rd party was sniffing traffic and was able to replicate your login from their system by copying your cookie. By encrypting the cookie with the IP of the client connection, the would-be hacker would have to hack his connection to make it look like the TCP connection from his system was the same as yours which is very difficult to do. You are correct that this would work on any other browser on your current system but typically if a hacker has gained access to your operating system, you have more to worry about...

     

     

    -Joe