cookie encryption using Http profile and irule

Question

Hi,&nbsp;
Tried cookie encryption using the irule and http profile. However, When ran a vulnerability scanner from the internet the cookie is leaking internal Ips etc. Not sure what am is missing? Please help.&nbsp;
ltm rule cookie_domain {
    partition test-dmz
    when HTTP_REQUEST {
  set domainname [HTTP::host]
}
}&nbsp;
ltm rule cookie_secure {
    partition test-dmz
    when HTTP_RESPONSE {
  foreach aCookie [HTTP::cookie names] {
    HTTP::cookie secure $aCookie enable
  }
}
}&nbsp;
ltm persistence cookie Com_cookie {
    app-service none
    defaults-from cookie
    expiration 0
}&nbsp;
create ltm profile http http-cookieencrypt defaults-from http encrypt-cookies add { Com_cookie } encrypt-cookie-secret "Password01"&nbsp;
ltm profile http http-cookieencrypt {
    app-service none
    defaults-from http
    encrypt-cookie-secret Password01
    encrypt-cookies { Com_cookie }
}&nbsp;

yann_desmarest · Answer

Hello, &nbsp;
You encrypt everything except persistence cookies. You should add encryption within the Cookie persistence profile assigned to your VS.&nbsp;

Forum Discussion

cookie encryption using Http profile and irule

1 Reply

Recent Discussions

Can iRule forward request to pool after ASM block without ASM:unblock ?

Need help with ICAP integration with F5 LTM

connect to cloudflare or cloud ec2 via SSLO

Need help on i-rule to specific uri path

GCP F5 deployment - Active -Active with config Sync

Related Content

Decrypt, Encrypt, Decrypt, Encrypt, Encrypt....

Let's Encrypt

Encrypting Cookies

Cookie Encryption

Automate Let's Encrypt Certificates on BIG-IP