Forum Discussion

williamwu2019_2's avatar
williamwu2019_2
Icon for Nimbostratus rankNimbostratus
Jun 23, 2016

Preferred Cookie Encryption Policy Doesn't Work!!!

We need to encrypt the F5 BigIP cookie value. However, we have some integration will send out encode BigIP cookie value (not encrypted) to F5. We followed the instructions below. But we still cannot let F5 to locate to the right server using encode cookie value. https://support.f5.com/kb/en-us/solutions/public/k/23/sol23254150.html

 

For example, the original BigIP cookie is something like below: BIGipServerxxx.com_1080=rd13o00000000000000000000ffff0a12341fo1080

 

After enabled the cookie encryption, it becomes something like: BIGipServerxxx.com_1080=!uVEJkUKJD6dBRac7a9IoGymsGs7Gj6WAC1kK8Amxz3pGJGr/z7V7FEAJS4Cir04lI6T+h0V+LjUWLnSrFbYCZugeum2JeTOyBAgejyEtEhs=

 

If I send the request with BIGipServerxxx.com_1080=rd13o00000000000000000000ffff0a12341fo1080, F5 will be failed to locate to the right server. So, seems the F5 cannot recognize the encode value with the encryption enabled.

 

BIG-IP
security

1 Reply

Sort By
  • IanB's avatar
    IanB
    Icon for Employee rankEmployee
    Jun 23, 2016

    If I understand your question correctly, you're saying that if you send an unencrypted persistence cookie to the LTM when it is configured for cookie encryption on that virtual server, then it fails to recognise the cookie. If that's what you're saying, then that's working as designed.

     

    An unencrypted cookie comes in, and it decrypts it by passing it through AES, and what comes out is not valid, so it is discarded.

     

    Why would you be sending both encrypted and unencrypted cookies to the same virtual server ?