BigIP does not encrypt application cookies

Question

Greetings,&nbsp;
&nbsp;I have an LTM on v9.4.8&nbsp;
&nbsp;I have been fighting this for a week now. I hope someone can shine a light on where I am going wrong.&nbsp;
&nbsp;I have already tried both of the examples in the following link:&nbsp;
&nbsp;http://devcentral.f5.com/wiki/default.aspx/iRules/EncryptingCookies.html
&nbsp;and
&nbsp;http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/19364/afv/topic/Default.aspx&nbsp;&nbsp;
&nbsp;The problem is that an application is leaking internal network info in a cookie like the following value:&nbsp;
&nbsp;Cookie Value: https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin&nbsp;
&nbsp;I need to encrypt these cookies. &nbsp;
&nbsp;Here is my code:&nbsp;&nbsp;
when CLIENT_ACCEPTED {
        set ::cookiename "stagingDistAuth"
        set ::encryption_passphrase "abcd1234"
}

when HTTP_REQUEST {
    set uri  https://[getfield [HTTP::host] : 1][HTTP::uri]

if { $uri starts_with "https://some.server.com/auth/" } {
        if { [HTTP::cookie exists $::cookiename] } {
            set decrypted [HTTP::cookie decrypt $::cookiename $::encryption_passphrase]
            if { ($decrypted eq "") } {
                 Cookie wasn't encrypted, delete it
                HTTP::cookie remove $::cookiename
            }
        }
    }
 }

when HTTP_RESPONSE { 
    if { $uri starts_with "https://some.server.com/auth/" } {
        if { [HTTP::cookie exists $::cookiename] } {
         set encrypted_value  [HTTP::cookie encrypt $::cookiename $::encryption_passphrase]
        }
    }
}
&nbsp;
&nbsp;I have tried entering a lot of log messages to debug but nothing showed up except that the cookie is not being encrypted. When I look at the cookie in my browser it is not encrypted.&nbsp;
&nbsp;When I set the cookie value to the encrypted value with a command like the following I get a new cookie by the same name but with a different domain and not secured.&nbsp;&nbsp;
    if { $uri starts_with "https://some.server.com/auth/" } {
        if { [HTTP::cookie exists $::cookiename] } {
         set encrypted_value  [HTTP::cookie encrypt $::cookiename $::encryption_passphrase]
         set crtrn [HTTP::cookie value $::cookiename $encrypted_value ]
        }
    }
&nbsp;
&nbsp;Any help would be appreciated.&nbsp;&nbsp;

hooleylist · Answer

Hi Brian, 
&nbsp;  
&nbsp; Is it possible that the cookie is being set on responses that aren't to a request for the auth URI?  Can you show a version with debug logging and the output from /var/log/ltm? 
&nbsp;  
&nbsp; Also, you don't need to use global variables for cookiename and encryption_password.  You can remove the :: prefix to the variable names to make them local. 
&nbsp;  
&nbsp; Aaron

brian_107072 · Answer

Well, It appears I am suffering from the same thing as these guys: 
&nbsp;  
&nbsp; http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/afv/topic/aft/1173075/aff/5/showtab/groupforums/Default.aspx1198179 
&nbsp;  
&nbsp; Anyone have a work around?  
&nbsp;  
&nbsp; I am going to try checking the Cookie Value length as a work around.

brian_107072 · Answer

Here is my code with logging 
&nbsp;  
&nbsp;  
 when CLIENT_ACCEPTED { 
  Get Client IP address 
 set CLIENT [IP::client_addr] 
  
      Name of the cookie to encrypt/decrypt 
 set cookie "stagingDistAuth"  
 set cookiename "stagingDistAuth" 
 set encryption_passphrase "abcd1234" 
      Log debug messages to /var/log/ltm?  1=yes, 0=no. 
     set cookie_encryption_debug 1 
 } 
    
 when HTTP_REQUEST { 
 set proto "https://" 
  
 set uri  $proto[getfield [HTTP::host] : 1][HTTP::uri] 
  
 if { $uri starts_with "https://some.server.com/auth/" and $CLIENT eq "192.168.1.5"} { 
 if { [HTTP::cookie exists $cookiename] } { 
  
 if { $cookie_encryption_debug } { log local0. "COOKIE EXISTS. VALUE:[HTTP::cookie value $cookiename]"} 
  
 set decrypted [HTTP::cookie decrypt $cookiename $encryption_passphrase] 
  
 if { ($decrypted eq "") } { 
 if { $cookie_encryption_debug } { log local0. "COOKIE NOT ENCRYPTED. VALUE:[HTTP::cookie value $cookiename]"} 
  Cookie wasn't encrypted, delete it 
 HTTP::cookie remove $::cookiename 
 } else { 
 if { $cookie_encryption_debug } { log local0. "COOKIE DECRYPTED. VALUE:[HTTP::cookie value $cookiename]"} 
 } 
 } 
 } 
 } 
  
 when HTTP_RESPONSE {  
  
 if { $uri starts_with "https://some.server.com/auth/" and $CLIENT eq "192.168.1.5"} { 
 set cookie1 $cookiename 
 set cookie2 $cookiename 
 set cookie3 $cookiename 
  
 set cValue [HTTP::cookie value $cookie1] 
 set cLength [string length $cValue]  
  
 if { $cookie_encryption_debug } { log local0. "COOKIE LENGTH. VALUE: $cLength"} 
 if { $cLength &gt; 0 } { 
  
 if { $cookie_encryption_debug } { log local0. "COOKIE EXISTS. VALUE: [HTTP::cookie value $cookie2]"} 
  
 HTTP::cookie encrypt $cookiename $encryption_passphrase 
  
 if { $cookie_encryption_debug } { log local0. "COOKIE ENCRYPTED VALUE: [HTTP::cookie value $cookie3]"} 
 } 
 } 
 } 
  
&nbsp;  
&nbsp; And here are the logs 
&nbsp;  
&nbsp;  
 : COOKIE LENGTH. VALUE: 59 
 : COOKIE EXISTS. VALUE: https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin 
 : COOKIE ENCRYPTED VALUE: https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin 
 : COOKIE EXISTS. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin 
 : COOKIE NOT ENCRYPTED. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin 
  - Illegal argument. Can't execute in the current context. (line 1)     invoked from within "HTTP::cookie value $::cookie1" 
 : COOKIE EXISTS. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin 
 : COOKIE NOT ENCRYPTED. VALUE:https%3A%2F%2Fsome.server.com%3A8443%2Fauth%2FUI%2FLogin 
  - Illegal argument. Can't execute in the current context. (line 22)     invoked from within "HTTP::cookie value $::cookie1"

brian_107072 · Answer

Aaron, 
&nbsp; The cookie is set on the auth response as far as I can tell. The Path is set to "/" in the cookie. 
&nbsp;  
&nbsp; --Brian

brian_107072 · Answer

I was able to resolve the "Illegal argument. Can't execute in the current context" messages. I created another iRule and moved all my cookie handling code there.  I then stacked it on my VIP's resources screen. Now the code seems to be working.  
&nbsp;  
&nbsp; The second issue turned out to be that there were multiple cookies by the same name but for different domains. My code was acting on the first cookie it saw which of course was the wrong cookie. Fortunately, it was safe to delete the first cookie because it was not relevant to my sessions. Now the rules act on the correct cookie and all is well. 
&nbsp;  
&nbsp; So, look for multiple cookies by the same name and try a second iRule if your code generates errors.

Forum Discussion

BigIP does not encrypt application cookies

5 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

Cookie Encryption

Encrypted cookies on strict uri

Cookie

How to install lets encrypt on BIG IP

Client Side SSL Encryption while response from F5