iRule: Securing Cookies
So, you've got yourself some info that you want to stash in a cookie. The problem is that cookie contents are stored in HTTP headers which can be snooped on by those out there you want to keep the contents away from.
Sure, you could encrypt your session with SSL. That would stop those sniffing on the wire, but the cookie is then stored on the clients disk in clear text.
So, you may ask, how easy is it to secure the contents of a cookie? We'll, thanks to BIG-IP v9.x, it's VERY easy. With a simple iRule, you can do so with a few strokes of the keyboard.
Here's a simple iRule that will do that for you. First at rule initialization, we'll generate a unique encryption key:
when RULE_INIT { # Generate Unique Key set ::key [AES::key] }
Next, for a HTTP Response that contains the cookie (in this example, the name of the cookie is "MyCookie"), we'll encrypt it and replace the value with the encrypted value of the original.
when HTTP_RESPONSE { set decrypted [HTTP::cookie "MyCookie"] if { "" ne $decrypted } { # remove the original cookie, encrypt it, and then insert the encrypted value HTTP::cookie remove "MyCookie" set encrypted [b64encode [AES::encrypt $::key $decrypted]] HTTP::cookie insert name "MyCookie" value $encrypted } }
Now, when the client makes a subsequent request, we'll check for the encrypted version of the cookie. If it exists, then decrypt it and replace the encrypted value with it's decrypted counterpart.
when HTTP_REQUEST { set encrypted [HTTP::cookie "MyCookie"] if { "" ne $encrypted } { # remove encrypted cookie, decrypt it, and insert the decrypted value. HTTP::cookie remove "MyCookie" set decrypted [AES::decrypt $::key [b64decode $encrypted]] HTTP::cookie insert name "MyCookie" value $decrypted } }
Pretty simple huh?
-Joe