Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Encrypt the BIGip cookie + cookie insert

I have found some good examples of encrypting cookies with an iRule, but from what I read (if I am reading it correctly) it does not seem that anyone is encrypting the cookie inserted by the BIGIP itself? I use cookie_insert for persistence and a recent vulnerability assessment noted that the node and port number can be easily obtained by decoding the cookie value. Is it possible for me to encrypt the cookie that the BIGIP is inserting?

-L
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
The BIG-IP persistence cookie should be set before the default priority HTTP_RESPONSE event, so you should be able to use HTTP::cookie encrypt to encrypt it. You'd need to decrypt it in the request so it could be read for load selection.

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
If you have 9.4 or later releases, you can specify the cookie name to be encrypted/decrypted in the GUI; no rules needed.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Can we really manipulate the LTM-set cookie via iRules?

I thought we might be able to do so in HTTP_REQUEST_SEND, but traditionally we've been unable to affect LTM-set headers.

/deb
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I've set the domain on a persistence cookie before. I haven't tried modifying the persistence cookie on the request though. I would have assumed it would be possible...?

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Sounds like it, given your experience.

Didn't realize we could do that without rolling our own cookie. Good to know, thanks!

/deb
0