Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Irule encryption cookie
1. when CLIENT_ACCEPTED {
# Define an AES encryption key. Valid key lengths are 128, 192, or 256 bits.
# You can use a key generator, or create your own using only HEX characters.
set aes_key "AES 128 63544a5e7178677b45366b41405f2dab"
# Name of the cookie to encrypt/decrypt
set cookie"myCookie"
# Log debug messages to /var/log/ltm? 1=yes, 0=no.
set cookie_encryption_debug 0
}
when HTTP_RESPONSE {
# Check if response contains an error cookie with a value
if {[string length [HTTP::cookie value $cookie]] > 0}{
# Log the original error cookie value from the app
if {$cookie_encryption_debug}{log local0.
"Response from app contained our cookie: [HTTP::cookie value $cookie]"}
# Encrypt the cookie value so the client can't change the value
HTTP::cookie value $cookie [URI::encode [AES::encrypt $aes_key
[HTTP::cookie value $cookie]]]
# Log the encoded and encrypted error cookie value
if {$cookie_encryption_debug}{log local0.
"Encrypted error cookie to: [URI::encode [AES::encrypt $aes_key
[HTTP::cookie value $cookie]]]"}
}
}
when HTTP_REQUEST {
# If the error cookie exists with any value, for any requested object, try to
decrypt it
if {[string length [HTTP::cookie value $cookie]]}{
if {$cookie_encryption_debug}{log local0.
"Original error cookie value: [HTTP::cookie value $cookie]"}
# URI decode the value (catching any errors that occur when trying to
# decode the cookie value and save the output to cookie_uri_decoded)
if {not ([catch {URI::decode [HTTP::cookie value $cookie]}
cookie_uri_decoded])}{
# Log that the cookie was URI decoded
if {$cookie_encryption_debug}{log local0. "$cookie_uri_decoded was set
successfully"}
# Decrypt the value
if {not ([catch {AES::decrypt $aes_key $cookie_uri_decoded}
cookie_decrypted])}{
# Log the decrypted cookie value
if {$cookie_encryption_debug}{log local0. "$cookie_decrypted:
$cookie_decrypted"}
} else {
# URI decoded value couldn't be decrypted.
}
} else {
# Cookie value couldn't be URI decoded
}
} else {