HTTP Cookies when using SSL offloading

when I capture the traffic between Clients and F5 (where the traffic should be encrypted) I can capture cookies in HTTP without encryption.

how did you capture the traffic? was it tcpdump or something else?

Servers<--http--->F5<---https---->Firewall<-----Internet(https)---->Users

I captured the traffic on firewall between Internet and F5 and I can see Http packet containing cookies, the other traffic are all encrypted in 443(https) packets.

When you captured the traffic, did you check the MAC addresses to see if your trafic is realy corresponding between F5 and clients ? Because it can be an architectural problem.

Or maybe your firewall is making SSL inspection ?

The secure flag does not encrypt the cookie but specify to the browser that the cookie must not be send to the server in an unsecured connection (if the user is redirected to HTTP URL on the same domain)

As the cookie is added as HTTP header of the answer, if the cookie is sent in clear, the whole connection is in clear...

Can you post the virtual server configuration?

there is no inspection on my firewall. the firewall even do not contain the Certificate to be ablt to decrypt the traffic for inspection.

here is the related confguration:

ltm node /Common/10.0.35.55 {

address 10.0.35.55

}

ltm node /Common/10.0.35.56 {

address 10.0.35.56

}

ltm node /Common/10.0.35.57 {

address 10.0.35.57

}

ltm pool /Common/IB-APP.app/IB-APP_pool {

app-service /Common/IB-APP.app/IB-APP

members {

    /Common/10.0.35.55:http {

        address 10.0.35.55

    }

    /Common/10.0.35.56:http {

        address 10.0.35.56

    }

    /Common/10.0.35.57:http {

        address 10.0.35.57

    }

}

monitor /Common/tcp

slow-ramp-time 300

}

ltm rule /Common/IB-APP.app/IB-APP_irule {

app-service /Common/IB-APP.app/IB-APP

when HTTP_REQUEST {

        HTTP::redirect https://[HTTP::host][HTTP::uri]

    }

when HTTP_RESPONSE {

foreach cookie [HTTP::cookie names]

{

HTTP::cookie secure $cookie enable

}

}

}

ltm rule /Common/IB-HTTPs-Rule {

when HTTP_REQUEST {

HTTP::header insert "X-Forwarded-Proto" "https";

}

when HTTP_RESPONSE {

foreach mycookie [HTTP::cookie names] {

HTTP::cookie secure $mycookie enable

}

}

}

ltm rule /Common/IB-OTP.app/IB-OTP_irule {

app-service /Common/IB-OTP.app/IB-OTP

when HTTP_REQUEST {

        HTTP::redirect https://[HTTP::host][HTTP::uri]

    }

}

ltm virtual /Common/IB-APP.app/IB-APP_http {

app-service /Common/IB-APP.app/IB-APP

destination /Common/10.0.35.28:http

ip-protocol tcp

mask 255.255.255.255

persist {

    /Common/IB-APP.app/IB-APP_cookie_persistence_profile {

        default yes

    }

}

profiles {

    /Common/IB-APP.app/IB-APP_caching_profile { }

    /Common/IB-APP.app/IB-APP_http_profile { }

    /Common/IB-APP.app/IB-APP_lan-optimized_tcp_profile {

        context serverside

    }

    /Common/IB-APP.app/IB-APP_wan-optimized-compression_profile { }

    /Common/IB-APP.app/IB-APP_wan-optimized_tcp_profile {

        context clientside

    }

}

rules {

    /Common/IB-APP.app/IB-APP_irule

}

vlans-disabled

}

ltm virtual /Common/IB-APP.app/IB-APP_https {

app-service /Common/IB-APP.app/IB-APP

destination /Common/10.0.35.28:https

ip-protocol tcp

mask 255.255.255.255

persist {

    /Common/IB-APP.app/IB-APP_cookie_persistence_profile {

       default yes

    }

}

pool /Common/IB-APP.app/IB-APP_pool

profiles {

    /Common/IB-APP.app/IB-APP_clientssl {

        context clientside

    }

    /Common/IB-APP.app/IB-APP_http_profile { }

    /Common/IB-APP.app/IB-APP_lan-optimized_tcp_profile {

        context serverside

    }

    /Common/IB-APP.app/IB-APP_oneconnect { }

    /Common/IB-APP.app/IB-APP_wan-optimized_tcp_profile {

        context clientside

    }

}

snat automap

vlans-disabled

Which cookies are in clear?

• HTTP request
• HTTP response
• HTTPS request
• HTTPS response

When you connect to the application, can you validate the cookies are defined as secure in your browser (firefox is useful to view cookies quickly)?

If some cookies are not secure, can you delete all cookies and try again? are they created again without secure flag?

I dont know what is the different between these cookies. The cookies which is sent from user browser to f5 (where the traffic should be 443(https) is unencrypted and sent on 80(http) I want this cookie transmitted over HTTPS not HTTP.

the cookies on client web browsers do not have secure flag and when I delete or clear the cookies on my browser the new one is also without secure flag.

should I config an irule and assign it to HTTPS Virtual server? as you can see in the configuration that irule is assigned to HTTP Virtual server. HTTPS virtual server do not have any irule assigned to it.

Did you try to change cookie version as described in HTTP::cookie irule wiki? https://devcentral.f5.com/wiki/iRules.HTTP__cookie.ashx

when HTTP_RESPONSE {
   set cookieNames [HTTP::cookie names]
   foreach aCookie $cookieNames {
      HTTP::cookie version $aCookie 1
      HTTP::cookie secure $aCookie enable
   }
}

I tied this one too and the same result :( user still send their cookies on http protocol instead of https

before each retry, clear cookies in the browser to be sure there is not previously downloaded cookies.