Are cookies readable using HTTPS/SSL?

[spidey07]

Trying to do some load balancing and the application guys say it needs to be persistent/stuck based on cookies. However the app uses HTTPS only.

This doesn't make any sense. How is the cookie supposed to be read if it's encrypted? If it's using ssl then it's encrypted at the session layer and therefore no L7 data can be read?

or am I missing something here.

 

[JackMDS]

Never thought about it.

Found this.

http://www.ssl-technology.com/ssl_persistence.htm
(in the middle there a section about cookies).

http://cookies.lcs.mit.edu/sslflag.html

http://support.microsoft.com/kb/274149

 

[spidey07]

Well in this case the certs aren't installed on the content switch, only on the server. If I put the certs on the content switch then I could probably do cookie based persistence because it could decrypt them and build the appropriate sticky entries. Don't particularly want to do that.

oh - and I've already googled. Thanks for the links though.

 

[Nothinman]

Any use of cookies would have to happen as part of the normal HTTP session so if you're SSL encrypting that session then the cookie data would also be encrypted.

 

[spidey07]

Originally posted by: Nothinman
Any use of cookies would have to happen as part of the normal HTTP session so if you're SSL encrypting that session then the cookie data would also be encrypted.

That's what I thought. The app guys are clueless on their own application and how it and the entire Internet works. Go figure.

 

[Nothinman]

That's what I thought. The app guys are clueless on their own application and how it and the entire Internet works. Go figure.

Of course not, they just know that they call look at Response.Cookies("cookiename").Value to get/set a cookie and hope that IIS does the right thing. And it's not like that's a new thing, I was amazed at how little understanding the developers at my last job had of the OS on which their apps run. Hell at one point some of them were picking random numbers (turns out they were dates of things like birthdays) for the ports that their app used because they didn't understand how port numbers fit into the whole TCP/IP thing.

 

[spidey07]

Originally posted by: Nothinman

That's what I thought. The app guys are clueless on their own application and how it and the entire Internet works. Go figure.

Of course not, they just know that they call look at Response.Cookies("cookiename").Value to get/set a cookie and hope that IIS does the right thing. And it's not like that's a new thing, I was amazed at how little understanding the developers at my last job had of the OS on which their apps run. Hell at one point some of them were picking random numbers (turns out they were dates of things like birthdays) for the ports that their app used because they didn't understand how port numbers fit into the whole TCP/IP thing.

I had to ask the guy for the cert and key so I could get it on the load balancer. He asked "you have to run IIS for the cert to work".

WTF! OK moron, I just asked for the cert and key.

"but, the web server must use IIS"

Look idiot, you wanted load balancing/content switching, on YOUR application. Trust me, gimme the cert file and the key and we'll be fine. I'll even let you tell me what cipher to use.

"I don't think that is possible."

GAAAH!!! You want me to balance/sticky based on a cookie. I need to understand that cookie. gimme the files moron, this is how the intarweb and content switching works.