Cookie encryption and filtering by DeleGate
Yutaka Sato
April 17, 2006
Encryption and filtering of HTTP Cookies is introduced in
DeleGate/9.2.0-pre6.
This feature is intended to protect Cookies from beeing used by others
even if it is stolen by some means; for example by copying, by tapping,
by Cross Site Scripting, or by HTTP Header Smuggling.
With this feature, an attribute in a Cookie generated by a server is
- stored in the encrypted format in clients
- decryptable only by proxies (DeleGate) which knows the encryption key
- forwarded only to the server which generated the Cookie
This feature is enabled with HTTPCONF=cryptCookie parameter as this:
% delegated -P8080 SERVER=http HTTPCONF="cryptCookie:UserID@www.my.domain:Key"
In this example, a cookie attribute UserID returned
in Set-Cookie from the server "http://www.my.domain" is encrypted
before it is forwarded to clients.
Then the cookie attribute UserID sent in a Cookie
from a client is decrypted and forwarded to the server if and only if
the destination host is "http://www.my.domain".
[original Cookie]
Set-Cookie: UserID=uid; domain=.my.domain; path=/path
[encrypted Cookie]
Set-Cookie: UserID=XX.YY; domain=.my.domain; path=/path
YY == crypt(Key : .my.domain : www.my.domain : 80 : /path : uid)
XX == crc(YY)
The encryption key can be dependent on the client. For example,
"%a" represents the IP-address of the client host.
% delegated -P8080 SERVER=http HTTPCONF="cryptCookie:UserID@www.my.domain:%a"
With this configuration, the cookie is encrypted with the IP-address of
the client as the encryption key. Thus it can be decrypted only when it
is sent from the clients on the host.
If your DeleGate requires (proxy) user authentication, the encryption key
can be the password for the authentication ("%P").
% delegated -P8080 SERVER=http HTTPCONF="cryptCookie:UserID@www.my.domain:%P" AUTHORIZER=-pam
The latest specification in Manual.htm
- cryptCookie:listOfCookies:cryptKey
-
listOfCookies == attributes[@domains]
attributes == attribute | {attribute,attribute,...}
domains == domain | {domain,domain,...}
domain == [.]domainName
cryptKey == string | %a | %P
encrypt specified attributes in a Set-Cookie response to be stored in a client,
then decrypt and forward the Cookie request only to the originator
of the Cookie.
An attribute in a Cookie is specified as "attribute@host"
or "attribute@.domain".
In the former case, a cookie generated by a host is encrypted
and echoed to host only.In the latter case, a cookie generated by hosts in the domain
can be echoed to hosts in the domain.
The special string "%a" in cryptKey is substituted by
the IP-address of the client. This makes the crypted Cookie be usable
only by clients on the host of the IP-address.
Example:
HTTPCONF="cryptCookie:SessionID@host1.dom1,UserID@.dom2:nanjamonja"
HTTPCONF="cryptCookie:UserID@.dom:nanjamonja"
HTTPCONF="cryptCookie:UserID@{host1.dom,host2.dom}:nanjamonja"