• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Are cookies readable using HTTPS/SSL?

S

spidey07

No Lifer
Trying to do some load balancing and the application guys say it needs to be persistent/stuck based on cookies. However the app uses HTTPS only.

This doesn't make any sense. How is the cookie supposed to be read if it's encrypted? If it's using ssl then it's encrypted at the session layer and therefore no L7 data can be read?

or am I missing something here.
 
Well in this case the certs aren't installed on the content switch, only on the server. If I put the certs on the content switch then I could probably do cookie based persistence because it could decrypt them and build the appropriate sticky entries. Don't particularly want to do that.

oh - and I've already googled. 😉 Thanks for the links though.
 
Any use of cookies would have to happen as part of the normal HTTP session so if you're SSL encrypting that session then the cookie data would also be encrypted.
 
Originally posted by: Nothinman
Any use of cookies would have to happen as part of the normal HTTP session so if you're SSL encrypting that session then the cookie data would also be encrypted.
Click to expand...

That's what I thought. The app guys are clueless on their own application and how it and the entire Internet works. Go figure.
 
That's what I thought. The app guys are clueless on their own application and how it and the entire Internet works. Go figure.
Click to expand...

Of course not, they just know that they call look at Response.Cookies("cookiename").Value to get/set a cookie and hope that IIS does the right thing. And it's not like that's a new thing, I was amazed at how little understanding the developers at my last job had of the OS on which their apps run. Hell at one point some of them were picking random numbers (turns out they were dates of things like birthdays) for the ports that their app used because they didn't understand how port numbers fit into the whole TCP/IP thing.
 
Originally posted by: Nothinman
That's what I thought. The app guys are clueless on their own application and how it and the entire Internet works. Go figure.
Click to expand...

Of course not, they just know that they call look at Response.Cookies("cookiename").Value to get/set a cookie and hope that IIS does the right thing. And it's not like that's a new thing, I was amazed at how little understanding the developers at my last job had of the OS on which their apps run. Hell at one point some of them were picking random numbers (turns out they were dates of things like birthdays) for the ports that their app used because they didn't understand how port numbers fit into the whole TCP/IP thing.
Click to expand...

I had to ask the guy for the cert and key so I could get it on the load balancer. He asked "you have to run IIS for the cert to work".

WTF! OK moron, I just asked for the cert and key.

"but, the web server must use IIS"

Look idiot, you wanted load balancing/content switching, on YOUR application. Trust me, gimme the cert file and the key and we'll be fine. I'll even let you tell me what cipher to use.

"I don't think that is possible."

GAAAH!!! You want me to balance/sticky based on a cookie. I need to understand that cookie. gimme the files moron, this is how the intarweb and content switching works.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top