Cookie Encryption through HTTP profile does effect for cookie disabled VIPs?

Question

Hi ,
I have a request to enable cookie encryption on he entire LTM.&nbsp;
please let me know one thing.Does cookie persistence work only if I map cookie persistence profile to the VIP and then HTTP profile. or does cookie persistence work alone with HTTP profile if we do some cookie settings inside itwithout mapping cookie persistence profile to that VIP?&nbsp;
i see some VIPs are having HTTP profiles only and some VIPs are with both HTTP and cookie profiles.I am planning to enable cookie encryption in all http profile itself and not touching cookie persistence profile settings and I am wierd that some VIPs are using HTTP profiles alone and if I enable encryption, this may effect cookie persistence profile disabled VIPs also&nbsp;
thank you very much.&nbsp;

ryan_80361 · Answer

Heya,&nbsp;
I had a brain fade, Piotr is correct regarding http profile being required for cookie persistence.&nbsp;
If you are seeking to encrypt your persistent cookie, that can be configured from within the cookie persistence profile. If you wish to encrypt other cookies then you can specify those particular cookies in the HTTP profile.&nbsp;

ryannnnnnnnn · Answer

Heya,&nbsp;
I had a brain fade, Piotr is correct regarding http profile being required for cookie persistence.&nbsp;
If you are seeking to encrypt your persistent cookie, that can be configured from within the cookie persistence profile. If you wish to encrypt other cookies then you can specify those particular cookies in the HTTP profile.&nbsp;

dragonflymr · Answer

Hi,&nbsp;
Actually Cookie persistence profile will not work without HTTP profile. Of course there are persistence profile types that will work without HTTP profile (like Source Address Affinity) but not cookie type.&nbsp;
HTTP profile is assigned to VS to allow LTM to understand HTTP protocol. This is for example necessary if you would like to use Cookie persistence profile.&nbsp;
In this case LTM needs to be able to parse HTTP request/response to extract/set cookie header used for persistence.&nbsp;
Persistence profile (in this case cookie) is needed when stickiness of HTTP session is required.&nbsp;
It means that all client HTTP requests after first load balancing decisions (when first client HTTP request without LTM cookie is received) should be send to the same pool member as first request.&nbsp;
So dependency is like that:&nbsp;
HTTP profile do not need Persistence profileCookie persistence profile requires HTTP profile
Concerning setting cookie encryption in HTTP profile - you can safely do that for both VSs with only HTTP profile assigned as well as VSs with both HTTP profile and Cookie persistence profile.&nbsp;
Encrypt Cookies will just encrypt cookies (specified by name in this field) when sending responses to clients, then decrypt them when receiving request from client.&nbsp;
Because you have to specify list of cookie names that should be encrypted then you can omit persistence cookie name (used by Cookie persistence profile) - it will not be encrypted, but of course you can as well specify it to be encrypted - LTM will handle encrypted persistence cookie as well.&nbsp;
Anyway for cookies used by Cookie persistence profile it's easier to use Cookie Encryption Use Policy option available in Cookie persistence profile configuration (TMOS 11.5.0+), than Encrypt Cookies in HTTP profile.&nbsp;
Persistence cookies have dynamic names build like that: BIGipServer[name of the pool assigned to VS] - if pool is http_pool then cookie name will be BIGipServerhttp_pool.&nbsp;
So it wold be necessary to change cookie name in HTTP profile Encrypt Cookies option each time pool assigned to VS changes and have as many HTTP profiles as pools used by VSs.&nbsp;
Piotr&nbsp;

sainetwork_1624 · Answer

hi Piotr,&nbsp;
Thank you very much for your response..This clarified me .Please find the bottom line of the my query and let me know if I can do it.&nbsp;
for suppose I enabled cookie encryption in the http_prod http profile.&nbsp;
case 1: for VIP with only http_prod profile(no cookie profile) , this does nothing I didnt map any cookie persistence profile to  it.no stickyness provided as there is no cookie persistence.&nbsp;
case 2: for VIP with both http_prod and cookie profiles, as I enabled cookie encryption in the http profile, the LTM starts encrypting and decrypting the cookie between Client and itself and provide stickyness&nbsp;
Please let me know the above cases are correct.&nbsp;
Thanks again.
Sai&nbsp;

sainetwork_1624 · Answer

hi Piotr,&nbsp;
Thank you very much for your response..This clarified me .Please find the bottom line of the my query and let me know if I can do it.&nbsp;
for suppose I enabled cookie encryption in the http_prod http profile.&nbsp;
case 1: for VIP with only http_prod profile(no cookie profile) , this does nothing I didnt map any cookie persistence profile to  it.no stickyness provided as there is no cookie persistence.&nbsp;
case 2: for VIP with both http_prod and cookie profiles, as I enabled cookie encryption in the http profile, the LTM starts encrypting and decrypting the cookie between Client and itself and provide stickyness&nbsp;
Please let me know the above cases are correct.&nbsp;
Thanks again.
Sai&nbsp;

Forum Discussion

Cookie Encryption through HTTP profile does effect for cookie disabled VIPs?

5 Replies

Recent Discussions

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Related Content

Decrypt, Encrypt, Decrypt, Encrypt, Encrypt....

Let's Encrypt

Automate Let's Encrypt Certificates on BIG-IP

Encrypting Cookies

Cookie Encryption