F5 Cookie Encryption

Create a new persistence profile with cookie name “MYCOOKIE”

ltm persistence cookie PROF_MYCOOKIE {
cookie-name MYCOOKIE
defaults-from cookie
}

Use the following iRule with the Virtual Server:


when CLIENT_ACCEPTED {
set COOKIE_NAME "MYCOOKIE"
set PASSPHRASE "Secret1234"
}

when HTTP_RESPONSE {
if { [HTTP::cookie exists $COOKIE_NAME] } {
HTTP::cookie encrypt $COOKIE_NAME $PASSPHRASE
}
}

when HTTP_REQUEST {
if { [HTTP::cookie exists $COOKIE_NAME] } {
set DECRYPTED [HTTP::cookie decrypt $COOKIE_NAME $PASSPHRASE]
if { ($DECRYPTED eq "") } {
# Cookie wasn't encrypted, delete it
HTTP::cookie remove $COOKIE_NAME
}
}
}

It is essential to understand that the cookie encryption is useful in masking the information about the F5 Load Balancer and the real-servers serving the content. If someone can capture the encrypted cookie, they can still use it for malicious purposes even without decrypting it.

You can utilize a different cookie name and pass phrase in the above iRule. Just remember to use the same cookie name in the iRule and in the cookie persistence profile

There are ways to implement cookie persistence using the HTTP profile in the F5 LTM. However, there can be issues with utilizing this as there is a bug that prevents proper functioning when the cookie name as a "." (period) in it.

Reference:

SOL4784

SOL12472

Leave a Reply