iRule to secure All Cookies...

This iRule does indeed only look for a cookie named "ASP.NET_SessionID". To do all cookies, you'll have to loop through.

 

 

Can you answer the following questions?

 

 

1. When you say secure, do you mean encrypt the value of the cookie, or simply enable the secure flag?

 

2. Are we interested in the cookies being sent by pool members or do we need to "secure" the cookie values in inbound requests?

Colin's 20 Lines or Less 18 covers this a bit:

http://devcentral.f5.com/weblogs/cwalker/archive/2008/12/31/20-lines-or-less-18.aspx

Cookie Encryption Gateway

If you're looking to encrypt/decrypt ALL cookies going in and out of a virtual in one fell swoop, then here's your solution.  Normal configuration of profiles requires you to state each cookie that's going to be encrypted. This iRule allows you to add or remove cookies from your application at will, while always being sure they're going to be secured.

when RULE_INIT {
   Exposed passphrase, but this key can be synchronized to the peer LTM
    set ::passphrase "secret"

   Private passphrase, but it isn't synchronized.  On LTM failover to
   its peer, applications relying on the encrypted cookies will break.
     set ::passphrase [AES::key]
}

when HTTP_REQUEST {
  foreach { cookieName } [HTTP::cookie names] {
    HTTP::cookie decrypt $cookieName ::passphrase
  }
}

when HTTP_RESPONSE {
  foreach { cookieName } [HTTP::cookie names] {
    HTTP::cookie encrypt $cookieName ::passphrase
  }
}

Chris...

 

 

Thanks for the quick reply.. Actually you help me confirm something, since I'm only applying the iRule to "ASP.NET_SessionID" cookie I need to modifiy the iRule to just include one other cookie, at least this time, .ADAuthCookie, cookie.

 

 

I've modified a few iRules to include multiple and/or attributes but not sure about this one..

 

 

Would be very greatfuly if you would mind providing me an example of how to wright this with both cookies getting the secure tag.

 

 

Thanks,

 

Bob

Heading out shortly. If either I or someone else don't get this done tonight, I'll do it in the morning. So you don't need the cookies decrypted, just to have the secure tag? Can you help me understand the possible names? Will the ASP cookie be exactly that name or will it have something after ASP.NET_SessionID? Is ".AdAuthCookie" the exact name too?

Correct, we do not need the cookies decrypted, just have the secure tag. Currently the only two Cookie names will be the "ASP.NET_SessionID" and ".ADAuthCookie". Nothing after the name, the names are exctaly, "ASP.NET_SessionID" and ".ADAuthCookie".

 

 

Thanks again for you help!

 

 

Bob

when HTTP_RESPONSE {
if { [HTTP::cookie exists "ASP.net_SessionID"] } {
HTTP::cookie secure "ASP.net_SessionID" enable 
} 
if { [HTTP::cookie exists ".ADAuthCookie"] } {
HTTP::cookie secure ".ADAuthCookie" enable }
}

The rule does compile so that's a start. See if the functionality works and if it does, I'll clean it up so it's as efficient/pretty as possible. This is simply enables the secure flag on cookies sent from pool members with the two names you mentioned.

Thanks Chris.. It seems to work as expected, no errors in the LTM logs..

 

 

Thanks,

 

Bob