• Guides
• Signed Cookies

Signed Cookies is a serverless solution, divided in two parts, available at Azion Marketplace.

Signed cookies are a type of cookie that has an extra layer of security. Cookies that are signed have the information within them encrypted and can only be read by the website that created them. Signed cookies are often used for authentication purposes; for example, to remember if a user has logged in to a website. This allows the website to verify whether third parties have interfered with or altered the session data. This is an effective defense against session hijacking and other security attacks.

Signed cookies can include a timestamp or expiration date in addition to encryption. This ensures that the data is only valid for a limited time. All in all, signed cookies are a vital tool for web developers to maintain security and integrity of user data.

Remember: this solution is, in fact, two. The Signed Cookies solution is divided into the hash generator and the hash validator.

To install the solution, follow these steps:

1. Log in to your Real-Time Manager (RTM) account.
   • If you don’t have an account, you can create one here.
2. On the upper-left corner of the page, select Products menu > Marketplace.
3. Select the search box and type “signed cookies” or browse through the cards to find the two Signed Cookies solutions.
4. Once you’ve found the Signed Cookies - Hash Generator and Signed Cookies - Hash Validator cards, select one to go to the solution page.
5. On the solution page, look for the Subscribe for section on the bottom-right corner.
6. Click the Get It Now button.

You’ll follow the same steps to install the second solution, the Signed Cookies, only changing the name of the solution.

In both cases, after clicking on the Get it now button, you’ll see a message indicating that your solution was successfully installed and is ready to use.

The solution obtained from the Azion Marketplace is added to your list of Edge Functions. Therefore, to use the Signed Cookies solution, you must create a new edge application to incorporate the new function.

For this task you have several modes of action, the main ones are:

• Visit the starting point documentation.
• Create an edge application on RTM by selecting Products menu > Edge Application and following the instructions.
• Use an existing edge application.

To configure your solution, proceed as follows:

1. On the upper-left corner, select Products menu > Edge Application on the BUILD section.
2. On the listing page of your edge applications, select the one you’ve created to use with the Signed Cookies solution.
3. On the Main Settings tab, under Modules, locate the Edge Functions switch and turn it on to enable Functions on your edge application.
4. Still under the Modules section, locate the Application Acceleration switch and turn it on to enable the Forward Cookies functionality for your application (this will be addressed at the Rules Engine section.
5. Click the Save button.

You’ll receive a successful message indicating your edge application was updated.

To enable this function, while still on the Edge Application page:

1. Select the Functions tab on the top list.
2. Click the Add Function button.
3. Choose an easy to remember name for your function.
4. On the dropdown function menu, select the Signed Cookies function.

This action will load the function, showing a form with the function’s source code and, just above it, two tabs: Code and Args. By clicking the Code tab you will be able to navigate through the code but won’t be able to change it.

As you have two solutions, you’ll have to configure two Args tabs, one for the response phase and another one for the request phase.

Remember that the Hash Generator has to run on the response phase, and the Hash Validator has to run on the request phase.

For the Hash Generator, the parameters are:

{
  "cookie_list": ["yummy_cookie", "tasty_cookie"],
  "cookie_secret": "ItIsASecret",
  "tampering_cookie_prefix": "tampering_protection"
}

Where:

• cookie_list: defines the list of cookies that should be protected. For each cookie in this list, an encrypted version of the cookie will be appended to the response.
• cookie_secret: a secret to protect the encrypted cookie against client-side manipulation.
• tampering_cookie_prefix: defines the prefix to be used in the name of the encrypted cookies.

You should pay attention to the possible values added to the tampering_cookie_prefix.

For example, if the value of this argument is tampering_protection and we protect the cookies yummy_cookie and tasty_cookie,the encrypted cookies created by the function will be named tampering_protection_yummy_cookie and tampering_protection_tasty_cookie.

If this argument doesn’t have a valid value, then the default value azion_tampering is used. Therefore, in this case, the encrypted cookies would be azion_tampering_yummy_cookie and azion_tampering_tasty_cookie.

For the Hash Validator, the parameters are:

{
  "cookie_list": ["yummy_cookie", "tasty_cookie"],
  "cookie_secret": "ItIsASecret",
  "tampering_cookie_prefix": "tampering_protection",
  "tampering_violation_header_prefix": "azion-tampering-violation"
}

These are the same fields of the Signed Cookies - Hash Generator, with the addition of one more field, tampering_violation_header_prefix. It defines a prefix to the headers which the function will append to the request whenever a cookie violation is identified.

You should pay attention to the possible values added to tampering_violation_header_prefix.

For example, the Cookie-Violation-Any, Cookie-Violation-Counter, and Cookie-Violation-List headers will be created if the value of this argument is Cookie-Violation.

If this argument doesn’t have valid data, the defaults are Azion-Tampering-Violation-Any, Azion-Tampering-Violation-Counter, and Azion-Tampering-Violation-List.

Still in the Edge Application page, in the Rules Engine tab, you have to configure the rules you want (criteria and behavior) to apply to run your function.

First, you have to configure the response phase for the Rules Engine. To do so, follow these steps:

1. Select the Rules Engine tab.
2. Click the New Rule button and select Response Phase.
3. Give an easy to remember name to your rule.
4. Pass the criteria you need to in order to run your solution.
5. On the behavior field, select Run Function from the dropdown menu and then select the Signed Cookies - Hash Generator function, according to the name you gave it in the instantiation step.
6. Click the Save button.

Now, you have to configure the request phase for the Rules Engine. To do so, follow these steps:

1. Select the Rules Engine tab.
2. Click the New Rule button and select Request Phase.
3. Give an easy to remember name to your rule.
4. Pass the criteria you need to in order to run your solution.
5. On the behavior field, select Run Function from the dropdown menu and then select the Signed Cookies - Hash Validator function, according to the name you gave it in the instantiation step.
   • You’ll also need a second behavior for the Signed Cookies - Hash Validator function: Forward Cookies.
6. To add it, click the + button and select the Forward Cookies option from the dropdown menu.
7. Click the Save button.

Done. You’ve successfully instantiated your two solutions and now you’re protected against attackers.

Contributors