PageViews: 1,070 hits / 128 nets

Cookie encryption and filtering by DeleGate

Yutaka Sato
April 17, 2006

Encryption and filtering of HTTP Cookies is introduced in DeleGate/9.2.0-pre6. This feature is intended to protect Cookies from beeing used by others even if it is stolen by some means; for example by copying, by tapping, by Cross Site Scripting, or by HTTP Header Smuggling. With this feature, an attribute in a Cookie generated by a server is

This feature is enabled with HTTPCONF=cryptCookie parameter as this:

In this example, a cookie attribute UserID returned in Set-Cookie from the server "http://www.my.domain" is encrypted before it is forwarded to clients. Then the cookie attribute UserID sent in a Cookie from a client is decrypted and forwarded to the server if and only if the destination host is "http://www.my.domain".

The encryption key can be dependent on the client. For example, "%a" represents the IP-address of the client host.

With this configuration, the cookie is encrypted with the IP-address of the client as the encryption key. Thus it can be decrypted only when it is sent from the clients on the host. If your DeleGate requires (proxy) user authentication, the encryption key can be the password for the authentication ("%P").


The latest specification in Manual.htm

cryptCookie:listOfCookies:cryptKey
listOfCookies == attributes[@domains]
attributes == attribute | {attribute,attribute,...}
domains == domain | {domain,domain,...}
domain == [.]domainName cryptKey == string |
%a | %P

encrypt specified attributes in a Set-Cookie response to be stored in a client, then decrypt and forward the Cookie request only to the originator of the Cookie. An attribute in a Cookie is specified as "attribute@host" or "attribute@.domain". In the former case, a cookie generated by a host is encrypted and echoed to host only.In the latter case, a cookie generated by hosts in the domain can be echoed to hosts in the domain. The special string "%a" in cryptKey is substituted by the IP-address of the client. This makes the crypted Cookie be usable only by clients on the host of the IP-address.

Example:

    HTTPCONF="cryptCookie:SessionID@host1.dom1,UserID@.dom2:nanjamonja"
    HTTPCONF="cryptCookie:UserID@.dom:nanjamonja"
    HTTPCONF="cryptCookie:UserID@{host1.dom,host2.dom}:nanjamonja"

[RETURN]
PageViews: 1,070 hits / 128 nets