Forum Discussion

Leslie_South_55's avatar
Leslie_South_55
Icon for Nimbostratus rankNimbostratus
Aug 14, 2007

Encrypt the BIGip cookie + cookie insert

I have found some good examples of encrypting cookies with an iRule, but from what I read (if I am reading it correctly) it does not seem that anyone is encrypting the cookie inserted by the BIGIP itself? I use cookie_insert for persistence and a recent vulnerability assessment noted that the node and port number can be easily obtained by decoding the cookie value. Is it possible for me to encrypt the cookie that the BIGIP is inserting?

 

 

-L

5 Replies

  • The BIG-IP persistence cookie should be set before the default priority HTTP_RESPONSE event, so you should be able to use HTTP::cookie encrypt to encrypt it. You'd need to decrypt it in the request so it could be read for load selection.

     

     

    Aaron
  • bl0ndie_127134's avatar
    bl0ndie_127134
    Historic F5 Account
    If you have 9.4 or later releases, you can specify the cookie name to be encrypted/decrypted in the GUI; no rules needed.
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Can we really manipulate the LTM-set cookie via iRules?

     

     

    I thought we might be able to do so in HTTP_REQUEST_SEND, but traditionally we've been unable to affect LTM-set headers.

     

     

    /deb
  • I've set the domain on a persistence cookie before. I haven't tried modifying the persistence cookie on the request though. I would have assumed it would be possible...?

     

     

    Aaron
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Sounds like it, given your experience.

     

     

    Didn't realize we could do that without rolling our own cookie. Good to know, thanks!

     

     

    /deb