Forum Discussion

Jean_Mamène's avatar
Jean_Mamène
Icon for Cirrus rankCirrus
Jun 07, 2019
Solved

Encrypted cookies on strict uri

Hi, I need to encrypt my cookies on specific uri, I have this irule: when HTTP_RESPONSE { set myValues [HTTP::cookie names]     foreach mycookies $myValues { if { [HTTP::cookie version $mycookies...
iRules
security
  • Dario_Garrido's avatar
    Dario_Garrido
    Jun 07, 2019

    Hello

     

    Technically, you are not encrypting your cookies, you are encrypting your communication tagging your cookies with "secure".

    REF - https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie

    REF - https://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie

     

    The rest of the code only replaces the cookie version of all of them.

    HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1

    Encryption is done by using 

    HTTP::cookie encrypt <name> <pass phrase> ["128" | "192" | "256"]

    ---

     

    So, if you need to apply the irule only for queries which has a specific URI, you should do something like this (with the condition containing the whole code).

    when HTTP_REQUEST{
  set origuri [string tolower [HTTP::uri]]
}
 
when HTTP_RESPONSE {
  set myValues [HTTP::cookie names]
  if { $origuri starts_with "uri" } {
    foreach mycookies $myValues {
      if { [HTTP::cookie version $mycookies] != 1 } {
        set ckval [HTTP::cookie value $mycookies]
        set ckpath [HTTP::cookie path $mycookies]
        HTTP::cookie remove $mycookies
        HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1
      }
      HTTP::cookie secure $mycookies enable
      HTTP::cookie httponly $mycookies enable
   }
  }
}

    You can find the meaning of each HTTP::cookie command here

    https://clouddocs.f5.com/api/irules/HTTP__cookie.html

     

    KR,

    Dario.

Dario_Garrido's avatar
Dario_Garrido
Icon for MVP rankMVP
Jun 07, 2019

Hello

 

Technically, you are not encrypting your cookies, you are encrypting your communication tagging your cookies with "secure".

REF - https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie

REF - https://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie

 

The rest of the code only replaces the cookie version of all of them.

HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1

Encryption is done by using 

HTTP::cookie encrypt <name> <pass phrase> ["128" | "192" | "256"]

---

 

So, if you need to apply the irule only for queries which has a specific URI, you should do something like this (with the condition containing the whole code).

when HTTP_REQUEST{
  set origuri [string tolower [HTTP::uri]]
}
 
when HTTP_RESPONSE {
  set myValues [HTTP::cookie names]
  if { $origuri starts_with "uri" } {
    foreach mycookies $myValues {
      if { [HTTP::cookie version $mycookies] != 1 } {
        set ckval [HTTP::cookie value $mycookies]
        set ckpath [HTTP::cookie path $mycookies]
        HTTP::cookie remove $mycookies
        HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1
      }
      HTTP::cookie secure $mycookies enable
      HTTP::cookie httponly $mycookies enable
   }
  }
}

You can find the meaning of each HTTP::cookie command here

https://clouddocs.f5.com/api/irules/HTTP__cookie.html

 

KR,

Dario.