Forum Discussion

Jean_Mamène's avatar
Jun 07, 2019

Encrypted cookies on strict uri

Hi, I need to encrypt my cookies on specific uri,

I have this irule:

when HTTP_RESPONSE {
set myValues [HTTP::cookie names]
 
 
foreach mycookies $myValues {
if { [HTTP::cookie version $mycookies] != 1 } {
set ckval [HTTP::cookie value $mycookies]
set ckpath [HTTP::cookie path $mycookies]
HTTP::cookie remove $mycookies
HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1
}
HTTP::cookie secure $mycookies enable
HTTP::cookie httponly $mycookies enable
}
}

But this iRule encrypt all the cookies.

I try that

when HTTP_REQUEST{
  set orighost [HTTP::host]
  set origuri [HTTP::uri]
  set uri1 "/sso"
}
 
 
when HTTP_RESPONSE {
  set myValues [HTTP::cookie names]
  foreach mycookies $myValues {
if { ([HTTP::cookie version $mycookies] != 1 ) and ($origuri starts_with "$uri1") } 
    {
      set ckval [HTTP::cookie value $mycookies]
      set ckpath [HTTP::cookie path $mycookies]
  HTTP::cookie remove $mycookies
  HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1
    }
    HTTP::cookie secure $mycookies enable
    HTTP::cookie httponly $mycookies enable
                            }
                  }

But doesn't work,

Can you help to fix that ?

Regards

  • Hello

     

    Technically, you are not encrypting your cookies, you are encrypting your communication tagging your cookies with "secure".

    REF - https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie

    REF - https://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie

     

    The rest of the code only replaces the cookie version of all of them.

    HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1

    Encryption is done by using

    HTTP::cookie encrypt <name> <pass phrase> ["128" | "192" | "256"]

    ---

     

    So, if you need to apply the irule only for queries which has a specific URI, you should do something like this (with the condition containing the whole code).

    when HTTP_REQUEST{
      set origuri [string tolower [HTTP::uri]]
    }
     
    when HTTP_RESPONSE {
      set myValues [HTTP::cookie names]
      if { $origuri starts_with "uri" } {
        foreach mycookies $myValues {
          if { [HTTP::cookie version $mycookies] != 1 } {
            set ckval [HTTP::cookie value $mycookies]
            set ckpath [HTTP::cookie path $mycookies]
            HTTP::cookie remove $mycookies
            HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1
          }
          HTTP::cookie secure $mycookies enable
          HTTP::cookie httponly $mycookies enable
       }
      }
    }

    You can find the meaning of each HTTP::cookie command here

    https://clouddocs.f5.com/api/irules/HTTP__cookie.html

     

    KR,

    Dario.

  • Hello

     

    Technically, you are not encrypting your cookies, you are encrypting your communication tagging your cookies with "secure".

    REF - https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie

    REF - https://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie

     

    The rest of the code only replaces the cookie version of all of them.

    HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1

    Encryption is done by using

    HTTP::cookie encrypt <name> <pass phrase> ["128" | "192" | "256"]

    ---

     

    So, if you need to apply the irule only for queries which has a specific URI, you should do something like this (with the condition containing the whole code).

    when HTTP_REQUEST{
      set origuri [string tolower [HTTP::uri]]
    }
     
    when HTTP_RESPONSE {
      set myValues [HTTP::cookie names]
      if { $origuri starts_with "uri" } {
        foreach mycookies $myValues {
          if { [HTTP::cookie version $mycookies] != 1 } {
            set ckval [HTTP::cookie value $mycookies]
            set ckpath [HTTP::cookie path $mycookies]
            HTTP::cookie remove $mycookies
            HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1
          }
          HTTP::cookie secure $mycookies enable
          HTTP::cookie httponly $mycookies enable
       }
      }
    }

    You can find the meaning of each HTTP::cookie command here

    https://clouddocs.f5.com/api/irules/HTTP__cookie.html

     

    KR,

    Dario.

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for MVP rankMVP

      Great! I'm glad to hear this. You are welcome.

       

      I would appreciate if you mark my answer as "the best" or give me some upvote.

       

      KR,

      Dario.