« Common Use Cases for Cascade | Top tips for accelerating SharePoint »

Cookie LoJack - Traffic Script to the Rescue

by Aidan Clarke | April 27, 2012 | Comments (0)

Stingray

So I have always loved Application Delivery Controller (ADC) traffic scripting capacities.  My discovery of ADCs fundamentally changed the way that architected data centres.  This is even more evident when you have the inevitable requirement to protect a Common Off The Shelf (COTS) applications.  Often with COTS apps, code change are not possible and you are at the application vendors mercy to implement changes to their product for you.  I have seen many instances where the client had a usage requirement that while valid for their use case, was not a use case the vendor wanted to support for a variety of reasons.

What this leads to is a situation where critical applications can be held up from being released because the deployment does not meet the customer's security requirements for things like cookie handling.  I have seen this hold up multi-million dollar Virtual Desktop Infrastructure (VDI) deployments as well as cripple ERM / ERP systems where the inability to provide controls around cookie based SSO rendered system open to abuse.

A common method I have invoked in these use cases is the concept of tagging a cookie before it is sent to a browser so that we can ensure it has come back from the same place we issued it to: Essentially, we can "LoJack" the cookies that have been issued by the server to prevent their mis-use.

The basic concept is that for a given cookie that the server relies on to ensure a user is authenticated, we will do the following:

  1. Intercept the cookie as it is issued from the server;
  2. Concatenate the original cookie with the client's IP address;
  3. Encrypt the new IP/Cookie; then
  4. Send it on to the customer.

What this allows for is a check on the cookies submitted by a client.  For any given HTTP request, we will do the following:

  1. Intercept the cookies sent by the browser;
  2. Find and decrypt the tagged cookie;
  3. Check that the IP address embedded in the encrypted cookie matches the IP address the cookie has just been sent from; and
  4. Allow us to either send the request with the original "good" cookie if the IP address matches -  or - strip the submitted cookie of the IP address does not match.

While this solution is not perfect for every situation - Large proxy farms that do not provide client persistence might trip it up for example - it is a crystal clear demonstration of where the ADC can again save the day...

The Traffic Script is available from the Code Samples section of the Riverbed Communities site on the link below:

http://community.riverbed.com/t5/Code-Samples/Cookie-LoJack-Protecting-Cookies-with-Traffic-Script/td-p/21385

 

 

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Subscribe

Enter your email so we can notify you of new posts.

Categories

More from Riverbed

Riverbed on Facebook

Riverbed on Twitter

Contact Us  |  Support  |  Riverbed Community  |  Legal Notices  |  Riverbed.com

©2012 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.