PageViews: 1,070 hits / 128 nets |
Encryption and filtering of HTTP Cookies is introduced in DeleGate/9.2.0-pre6. This feature is intended to protect Cookies from beeing used by others even if it is stolen by some means; for example by copying, by tapping, by Cross Site Scripting, or by HTTP Header Smuggling. With this feature, an attribute in a Cookie generated by a server is
This feature is enabled with HTTPCONF=cryptCookie parameter as this:
% delegated -P8080 SERVER=http \ HTTPCONF="cryptCookie:UserID@www.my.domain:Key"In this example, a cookie attribute UserID returned in Set-Cookie from the server "http://www.my.domain" is encrypted before it is forwarded to clients. Then the cookie attribute UserID sent in a Cookie from a client is decrypted and forwarded to the server if and only if the destination host is "http://www.my.domain".
The encryption key can be dependent on the client. For example, "%a" represents the IP-address of the client host.
% delegated -P8080 SERVER=http \ HTTPCONF="cryptCookie:UserID@www.my.domain:%a"With this configuration, the cookie is encrypted with the IP-address of the client as the encryption key. Thus it can be decrypted only when it is sent from the clients on the host. If your DeleGate requires (proxy) user authentication, the encryption key can be the password for the authentication ("%P").
% delegated -P8080 SERVER=http \ HTTPCONF="cryptCookie:UserID@www.my.domain:%P" AUTHORIZER=-pam
encrypt specified attributes in a Set-Cookie response to be stored in a client, then decrypt and forward the Cookie request only to the originator of the Cookie. An attribute in a Cookie is specified as "attribute@host" or "attribute@.domain". In the former case, a cookie generated by a host is encrypted and echoed to host only.In the latter case, a cookie generated by hosts in the domain can be echoed to hosts in the domain. The special string "%a" in cryptKey is substituted by the IP-address of the client. This makes the crypted Cookie be usable only by clients on the host of the IP-address.
Example:
PageViews: 1,070 hits / 128 nets |