Forum Discussion

hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Dec 14, 2007

Manipulating a decrypted cookie value using HTTP::cookie decrypt

Hi,

 

 

I'm running into an issue on 9.2.4 when trying to get and potentially manipulate the unencrypted value of a cookie. I encrypt the cookie sent in the response using HTTP::cookie encrypt and then use this code in the HTTP_REQUEST event to decrypt it:

 

 


if {$::error_cookie_debug}{log local0. "Original error cookie value: [HTTP::cookie value $::error_cookie]"}
HTTP::cookie decrypt $::error_cookie $::cookie_pass 128
if {$::error_cookie_debug}{log local0. "Decrypted error cookie value: [HTTP::cookie value $::error_cookie]"}

 

 

The log output shows the encrypted value for both log entries:

 

 


Original error cookie value: hPMuQ/vZ3BwWZhe71UizCYaIirs0LFB3vKtchKRLWZGSNjLH
Decrypted error cookie value: hPMuQ/vZ3BwWZhe71UizCYaIirs0LFB3vKtchKRLWZGSNjLH

 

 

Is this because the cookie value is being cached? If so, is there a way to get the value of the decrypted cookie?

 

 

As a workaround, I've had to use AES::encrypt to set the value of the cookie in the response and then use AES::decrypt on the subsequent request. This limits the value of the HTTP::cookie encrypt/decrypt functions though.

 

 

Thanks in advance for any suggestions.

 

 

Aaron
application delivery
dev
devops
iRules

3 Replies

Sort By
  • Patrick_Chang_7's avatar
    Patrick_Chang_7
    Historic F5 Account
    Dec 17, 2007
    The documentation indicates that HTTP::cookie decrypt returns the decrypted cookie value. It does not change the input cookie. Try this:

     

    set decrypted_cookie [HTTP::cookie decrypt $::error_cookie $::cookie_pass 128]
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 07, 2008
    Hi pchang,

     

     

    I finally had time to retest this and see what you mean. I could have sworn that I was seeing the response modified using HTTP::cookie encrypt, without explicitly setting the value of the cookie to the encrypted string. Odd. Anyhow, thanks for the pointer.

     

     

    I might submit an RFE to see if the values could be modified in place, instead of having to explicitly set the value of the cookie to the encrypted/decrypted string. As it is, there doesn't seem to be any significant advantage to using HTTP::cookie encrypt/decrypt compared with the AES encrypt/decrypt commands.

     

     

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 17, 2008
    Actually, it does look like the cookie value is modified by the encrypt and decrypt functions. I was getting confused by the HTTP::header and HTTP::cookie values being cached. You can decrypt the cookie value and save the output to a variable to workaround the problem with difficulty of cached values.

    For example, using two different priorities shows the true value of the cookie changing without explicitly setting the cookie value to the output of HTTP::cookie encrypt.

    
when RULE_INIT {
   set ::cookie_passphrase "some phrase"
   set ::cookie_name "cookie_name"
   set ::cookie_value "cookie_value"
}
when HTTP_REQUEST priority 500 {
   
   HTTP::cookie insert name $::cookie_name value $::cookie_value
   log local0. "500 Unencrypted cookie value: [HTTP::cookie value $::cookie_name]"
    Encrypt cookie and save the encrypted value
   set encrypted_value [HTTP::cookie encrypt $::cookie_name $::cookie_passphrase]
   log local0. "500 \$encrypted_value: $encrypted_value"
   log local0. "500 Correct cookie header value: [HTTP::header value Cookie]"
   log local0. "500 Cached cookie value: [HTTP::cookie value $::cookie_name]"
}
when HTTP_REQUEST priority 501 {
   log local0. "501 Encrypted test cookie value: [HTTP::cookie value $::cookie_name]"
   log local0. "501 Cookie header with encrypted value: [HTTP::header value Cookie]"
}
when HTTP_REQUEST priority 502 {
    Encrypt cookie and save the encrypted value
   set decrypted_value [HTTP::cookie decrypt $::cookie_name $::cookie_passphrase]
   log local0. "502 \$decrypted_value: $decrypted_value"
   log local0. "502 Decrypted cookie header value: [HTTP::header value Cookie]"
   log local0. "502 Decrypted cookie value: [HTTP::cookie value $::cookie_name]"
}

    Log output:

    : 500 Unencrypted cookie value: cookie_value: 500 $encrypted_value: f3lzsw7kqxIeu2vI6yy8eCITlBtuGboyFJ5D1ES0tzpxA98XJ90P: 500 Correct cookie header value: cookie_name=f3lzsw7kqxIeu2vI6yy8eCITlBtuGboyFJ5D1ES0tzpxA98XJ90P;: 500 Cached cookie value: cookie_value: 501 Encrypted test cookie value: f3lzsw7kqxIeu2vI6yy8eCITlBtuGboyFJ5D1ES0tzpxA98XJ90P: 501 Cookie header with encrypted value: cookie_name=f3lzsw7kqxIeu2vI6yy8eCITlBtuGboyFJ5D1ES0tzpxA98XJ90P;: 502 $decrypted_value: cookie_value: 502 Decrypted cookie header value: cookie_name=cookie_value;: 502 Decrypted cookie value: cookie_value

    Aaron