Cookie Encryption and Filtering by DeleGate

PageViews: 1,069 hits / 128 nets

Cookie encryption and filtering by DeleGate

Yutaka Sato

April 17, 2006

Encryption and filtering of HTTP Cookies is introduced in DeleGate/9.2.0-pre6. This feature is intended to protect Cookies from beeing used by others even if it is stolen by some means; for example by copying, by tapping, by Cross Site Scripting, or by HTTP Header Smuggling. With this feature, an attribute in a Cookie generated by a server is

stored in the encrypted format in clients
decryptable only by proxies (DeleGate) which knows the encryption key
forwarded only to the server which generated the Cookie

This feature is enabled with HTTPCONF=cryptCookie parameter as this:

% delegated -P8080 SERVER=http \
  HTTPCONF="cryptCookie:UserID@www.my.domain:Key"

In this example, a cookie attribute UserID returned in Set-Cookie from the server "http://www.my.domain" is encrypted before it is forwarded to clients. Then the cookie attribute UserID sent in a Cookie from a client is decrypted and forwarded to the server if and only if the destination host is "http://www.my.domain".

Set-Cookie: UserID=XX.YY; domain=.my.domain; path=/path YY == crypt(Key : .my.domain : www.my.domain : 80 : /path : uid) XX == crc(YY)

The encryption key can be dependent on the client. For example, "%a" represents the IP-address of the client host.

% delegated -P8080 SERVER=http \
  HTTPCONF="cryptCookie:UserID@www.my.domain:%a"

With this configuration, the cookie is encrypted with the IP-address of the client as the encryption key. Thus it can be decrypted only when it is sent from the clients on the host. If your DeleGate requires (proxy) user authentication, the encryption key can be the password for the authentication ("%P").

% delegated -P8080 SERVER=http \
  HTTPCONF="cryptCookie:UserID@www.my.domain:%P" AUTHORIZER=-pam

The latest specification in Manual.htm

cryptCookie:listOfCookies:cryptKey

listOfCookies == attributes[@domains]
attributes == attribute | {attribute,attribute,...}
domains == domain | {domain,domain,...}
domain == [.]domainName cryptKey == string | %a | %P

encrypt specified attributes in a Set-Cookie response to be stored in a client, then decrypt and forward the Cookie request only to the originator of the Cookie. An attribute in a Cookie is specified as "attribute@host" or "attribute@.domain". In the former case, a cookie generated by a host is encrypted and echoed to host only.In the latter case, a cookie generated by hosts in the domain can be echoed to hosts in the domain. The special string "%a" in cryptKey is substituted by the IP-address of the client. This makes the crypted Cookie be usable only by clients on the host of the IP-address.

Example:

HTTPCONF="cryptCookie:SessionID@host1.dom1,UserID@.dom2:nanjamonja" HTTPCONF="cryptCookie:UserID@.dom:nanjamonja" HTTPCONF="cryptCookie:UserID@{host1.dom,host2.dom}:nanjamonja"

[RETURN]

PageViews: 1,069 hits / 128 nets