Use the HTTP::cookie command to encrypt the cookie contents and/or secure the cookie to assure it's transported only via an SSL connection.

So, you've got yourself some info that you want to stash in a cookie. The problem is that cookie contents are stored in HTTP headers which can be snooped on by those out there you want to keep the contents away from.

Sure, you could encrypt your session with SSL. That would stop those sniffing on the wire, but the cookie is then stored on the clients disk in clear text.

So, you may ask, how easy is it to secure the contents of a cookie? We'll, thanks to BIG-IP v9.x, it's VERY easy. With a simple iRule, you can do so with a few strokes of the keyboard.

Here's a simple iRule that will do that for you. First at rule initialization, we'll generate a unique encryption key:

when RULE_INIT {
   # Generate Unique Key
   set ::key [AES::key]

Next, for a HTTP Response that contains the cookie (in this example, the name of the cookie is "MyCookie"), we'll encrypt it and replace the value with the encrypted value of the original.

   set decrypted [HTTP::cookie "MyCookie"]
   if { "" ne $decrypted } {
      # remove the original cookie, encrypt it, and then insert the encrypted value
      HTTP::cookie remove "MyCookie"
      set encrypted [b64encode [AES::encrypt $::key $decrypted]]
      HTTP::cookie insert name "MyCookie" value $encrypted

Now, when the client makes a subsequent request, we'll check for the encrypted version of the cookie. If it exists, then decrypt it and replace the encrypted value with it's decrypted counterpart.

   set encrypted [HTTP::cookie "MyCookie"]
   if { "" ne $encrypted } { 
      # remove encrypted cookie, decrypt it, and insert the decrypted value.
      HTTP::cookie remove "MyCookie"
      set decrypted [AES::decrypt $::key [b64decode $encrypted]]
      HTTP::cookie insert name "MyCookie" value $decrypted

Pretty simple huh?



[Listening to: Be Like That - 3 Doors Down - The Better Life (04:26)]