AskF5 Knowledge Base

Applies To:

Show Versions Show Versions
sol7784: Overview of cookie encryption
General SolutionGeneral Solution

Original Publication Date: 09/16/2007
Updated Date: 02/14/2012

You can configure the BIG-IP LTM to encrypt HTTP cookies before sending them to the client system. The BIG-IP LTM can encrypt BIG-IP persistence cookies, as well as cookies that are embedded in the response from the server. You can configure the BIG-IP LTM to encrypt cookies to keep information private if the cookie contains sensitive information about the web application.

When cookie encryption is enabled, the BIG-IP LTM extracts the unencrypted cookie from the server response, encrypts it using the AES cipher and encodes it using the Base64 encoding scheme. The BIG-IP LTM then embeds the encrypted cookie into the HTTP response to the client. On subsequent requests when the client presents the encrypted cookie to the BIG-IP LTM, the BIG-IP LTM removes the cookie, decodes it using the Base64 encoding scheme, and decrypts it. The BIG-IP LTM then re-embeds the decrypted cookie in the HTTP request to the server.

You can use one of the following two methods to encrypt cookies depending on the version of BIG-IP LTM you are using:

  • Configuring cookie encryption using the HTTP profile
  • Configuring cookie encryption using an iRule
     

Configuring cookie encryption using the HTTP profile

Note: When you use the Configuration utility to configure cookie persistence, the cookies are encrypted using the AES cipher. The AES key length is 192 bits.

Beginning with BIG-IP LTM version 9.4.0, you can configure cookie encryption using the Configuration utility. To do so, perform the following procedure:

  1. Log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. From the Services drop-down menu, select HTTP.
  5. Click Create.
  6. Enter a name for the HTTP profile.
  7. Enter one or more cookie names in the Encrypt Cookies box.

    Note: If you want to specify more than one cookie for the BIG-IP LTM to encrypt, separate the cookie names with a space.

    Note: Cookie names must not contain the period (.) character due to a known issue. For more information, refer to SOL12472: The Configuration utility returns an error message when the HTTP profile is configured with a period character in the 'Encrypt Cookies' field.

  8. Enter a passphrase for the cookie in the Cookie Encryption Passphrase box.
  9. Confirm the passphrase for the cookie by entering it in the Confirm Cookie Encryption Passphrase box.
  10. Click Update.

You must now associate the http profile with the virtual server.

Configuring cookie encryption using an iRule

You can also configure cookie encryption using an iRule. To determine the procedure most applicable to your BIG-IP version and application, refer to the DevCentral Encrypting Cookies codeshare page.

Note: A separate DevCentral login is required to access this content; you will be redirected to authenticate or register (if necessary).

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)