Forum Discussion

flomkrl_29950's avatar
flomkrl_29950
Icon for Nimbostratus rankNimbostratus
Nov 27, 2008

Cookie steal risk ?

Hello,

 

 

If an other user catch the BIGIP cookie, is it able to access to the application without authentification ? , i'm refering to IRULE ClientAuthUsingHTMLForms (http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHTMLForms.html)

 

 

Or does the authid include source client ip&port info ?

 

 

Thanks for your explanation ,

 

 

Regards,

 

 

flo

3 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    A couple of small observations about cookies... And this iRule.

     

     

    1. I don't think the cookie is set aas a 'secure' cookie. So in theory it's vulnerable to attack if it is presented to the site acorss an un-encrypted session

     

     

    2. The cookie actually contains data... Encrypting it is of dubious use. No encryption of the cookie contents will stop someone from stealing it. It would only stop someone from looking at it & changing it themselves.

     

     

    Note that in an iRule you're probably not going to get away from 2. Normally you'd keep a session table with the info on the web server and the cookie would be a random value key to look that info up (e.g in a hash table). But iRules don't really provide for that level of control.

     

     

    Short answer is that there's nothing there to guarantee security. YMMV.

     

     

    Hamish.

     

  • Is there any way to make this cookie secure ?

     

    -some suggestion : add source ip on cookie information

     

    Thxs;

     

     

    Flo
  • If you have clients connecting from behind pools of proxies or that are on DHCP with publich IP addresses, it's possible that their IP address would legitimately change during a session.

     

     

    As Hamish suggested, using HttpOnly and Secure on cookies can help. Using HTTPS should also help with cookie theft. And you can actually track session data in the LTM session table, but it's no where near as functional as on a typical web application.

     

     

    Aaron