Lightboard Lessons: BIG-IP Cookie Persistence Values

The BIG-IP creates cookies (when enabled) in order to allow persistence.  Several people have asked what these cookies look like and how their values are generated.  This video digs into the details of cookie persistence values and how they are calculated.  Enjoy!  



Related Resources:

Published Aug 02, 2017
Version 1.0
  • Aditya, great question. The way to hide the contents of the cookie is to encrypt the cookie, and the BIG-IP allows for cookie encryption. When encrypted, the cookie contents are not readable. Here's more information on cookie encryption: https://support.f5.com/csp/article/K14784

     

  • Hi John,

     

    As we see that by reverse engineering it is possible to see the IP address and port of the Server via the cookie. So is there a way to mask the IP & Port in the cookie so that the public users cannot re-engineer the IP of the server (for security purpose) ?

     

    Thanks, Aditya

     

  • Hi John,

     

    As we see that by reverse engineering it is possible to see the IP address and port of the Server via the cookie. So is there a way to mask the IP & Port in the cookie so that the public users cannot re-engineer the IP of the server (for security purpose) ?

     

    Thanks, Aditya

     

  • @MSZ, great question! Each application developer can set cookie limits as desired, so it depends on how the application is designed as to how many cookies there are. As for browsers, each one is a little different, but they all can typically handle at least 4096 bytes of cookies per domain. Here's an interesting article that gives a little more info: https://www.thoughtco.com/cookie-limit-per-domain-3466809

     

  • MSZ's avatar
    MSZ
    Icon for Nimbostratus rankNimbostratus

    How many cookies are created noramlly for application?

     

  • @MSZ, the port number is converted the same way as the IP address. You convert to hexadecimal, then reverse order the hex numbers, then convert to decimal. If the port number is less than 256, the first two hex digits (prior to reverse ordering) are 0x00. The later part of the video above (starting at about the 6:30 mark) shows the calculation on port number. Hope this helps!

     

  • @Aditya, great question! If you want to capture the cookie on your browser, you can right click on the page and open the "inspect" feature and look at application cookies. You can see all the cookies on your browser from there. Keep in mind each browser will store its own cookies, so this list will be browser-specific. If you are wanting to capture all the cookies on the BIG-IP, then you can run an iRule to check them all out. Here's a link to an iRule that should help with that: https://devcentral.f5.com/codeshare?sid=631

     

  • MSZ's avatar
    MSZ
    Icon for Nimbostratus rankNimbostratus

    How did you convert the port number?

     

  • Thanks John, Very Very informative! You said that if we capture cookies then we can reverse engineer. So how can we capture the cookie? Thanks, Aditya

     

  • Thanks John, Very Very informative! You said that if we capture cookies then we can reverse engineer. So how can we capture the cookie? Thanks, Aditya