Forum Discussion

Nick_T_68319's avatar
Nick_T_68319
Icon for Nimbostratus rankNimbostratus
Nov 13, 2014

Persistence Cookie Encryption

I noticed after upgrading to 11.5 in the cookie persistence profile, there is now an option for:

 

Cookie Encryption Use Policy Encryption Passphrase

 

Has anyone used this? Does it just encrypt the contents of the cookie the same way the HTTP profile Encrypt Cookies option worked? I tried to search the options in the manual but didn't find much information.

 

5 Replies

  • You are right there is near zero documentation on this. I have experimented with it and it does encrypt cookie contents just like the HTTP profile option does. Regarding the "Cookie encryption use policy" setting the help tab in v11.6 says this

     

    Specifies the way in which the cookie encryption format is used. The default is disabled.

     

    disabled: Generates the cookie format unencrypted.

     

    preferred: Generate an encrypted cookie, but accepts both encrypted and unencrypted formats.

     

    required: Cookie format must be encrypted.

     

  • Does anyone know the purpose of this? Was it to simply the two-step encryption process into a single profile?

     

  • I was wondering for a while what could be the use case for "Preferred". Generally, we would use either clear or encrypted cookies, so why having a "Preferred" option? Well, that's an excellent choice for a smooth transition from unencrypted to encrypted cookies. With "Cookie Encryption Use Policy" set to "Preferred", the system will generate encrypted cookies while still accepting the unencrypted cookies sent in the requests from previous clients.

     

    This "Preferred" option should be kept for the duration of the cookie previously configured in the Cookie Persistence Profile ("Expiration" field). After that, all previous cookies should have either expired or been replaced by an encrypted one. For a Session Cookie, use your own judgement, I guess.