SSL for Authenticated Sessions

Problem this snippet solves:

This iRule protects session cookies by setting the "secure" flag and redirecting all requests to SSL after the user has logged into the site. This will protect your customers from having their session cookies hijacked. If you are wondering, this is the same vulnerability made famous a couple of years ago by Firesheep.

The iRule is perfect for sites that are generally public, but allow a login for access to special content or features. Customers who are just browsing the site will be able to use it over a non-secure connection, but secure connections will be enforced after they have authenticated.

To use this iRule, fill in the name of your session cookie and apply to both the HTTP and HTTPS services of the VIP you want protected. Enjoy!

Code :

when HTTP_REQUEST {
# If the user is authenticated and is using the non-secure service, redirect them to the secure site
if { [HTTP::cookie exists "authenticated"] && [PROFILE::exists clientssl] == 0} {
HTTP::respond 302 Location https://[HTTP::host][HTTP::uri]
}
}

when HTTP_RESPONSE {
# Only needed if the server is setting a session cookie (i.e. the user is authenticating)
if { [HTTP::cookie exists "yoursessioncookie"] } {
set cookiedomain [HTTP::cookie domain "yoursessioncookie"]
# Set the secure flag on the cookie, which will tell the browser to not send it over insecure requests
HTTP::cookie secure "yoursessioncookie" enable
# Since the session cookie will not be sent over insecure requests, set another cookie so the iRule knows if redirection is needed.
HTTP::cookie insert name "authenticated" value "true" domain $cookiedomain path "/"
}
}
Published Mar 18, 2015
Version 1.0

Was this article helpful?

No CommentsBe the first to comment