This document defines a cookie encryption process that encrypts a cookie value on the response and decrypts it on subsequent requests. It sets an AES encryption key, the cookie name, and enables/disables debug logging. On responses, it encrypts the cookie value if present. On requests, it decrypts the cookie value if present by URI decoding, decrypting with the key, and logging the results.
1. when CLIENT_ACCEPTED {
# Define an AES encryption key. Valid key lengths are 128, 192, or 256 bits.
# You can use a key generator, or create your own using only HEX characters.
set aes_key "AES 128 63544a5e7178677b45366b41405f2dab"
# Name of the cookie to encrypt/decrypt
set cookie"myCookie"
# Log debug messages to /var/log/ltm? 1=yes, 0=no.
set cookie_encryption_debug 0
}
when HTTP_RESPONSE {
# Check if response contains an error cookie with a value
if {[string length [HTTP::cookie value $cookie]] > 0}{
# Log the original error cookie value from the app
if {$cookie_encryption_debug}{log local0.
"Response from app contained our cookie: [HTTP::cookie value $cookie]"}
# Encrypt the cookie value so the client can't change the value
HTTP::cookie value $cookie [URI::encode [AES::encrypt $aes_key
[HTTP::cookie value $cookie]]]
# Log the encoded and encrypted error cookie value
if {$cookie_encryption_debug}{log local0.
"Encrypted error cookie to: [URI::encode [AES::encrypt $aes_key
[HTTP::cookie value $cookie]]]"}
}
}
when HTTP_REQUEST {
# If the error cookie exists with any value, for any requested object, try to
decrypt it
if {[string length [HTTP::cookie value $cookie]]}{
if {$cookie_encryption_debug}{log local0.
"Original error cookie value: [HTTP::cookie value $cookie]"}
# URI decode the value (catching any errors that occur when trying to
# decode the cookie value and save the output to cookie_uri_decoded)
if {not ([catch {URI::decode [HTTP::cookie value $cookie]}
cookie_uri_decoded])}{
# Log that the cookie was URI decoded
if {$cookie_encryption_debug}{log local0. "$cookie_uri_decoded was set
successfully"}
# Decrypt the value
if {not ([catch {AES::decrypt $aes_key $cookie_uri_decoded}
cookie_decrypted])}{
# Log the decrypted cookie value
if {$cookie_encryption_debug}{log local0. "$cookie_decrypted:
$cookie_decrypted"}
} else {
# URI decoded value couldn't be decrypted.
}
} else {
# Cookie value couldn't be URI decoded
}
} else {