How to use the Signed Cookies integration through Azion Marketplace

Signed Cookies is a serverless integration, divided in two parts, available at Azion Marketplace.

Signed cookies are a type of cookie that has an extra layer of security. Cookies that are signed have the information within them encrypted and can only be read by the website that created them. Signed cookies are often used for authentication purposes; for example, to remember if a user has logged in to a website. This allows the website to verify whether third parties have interfered with or altered the session data. This is an effective defense against session hijacking and other security attacks.

Signed cookies can include a timestamp or expiration date in addition to encryption. This ensures that the data is only valid for a limited time. All in all, signed cookies are a vital tool for web developers to maintain security and integrity of user data.

Getting the integration

Section titled Getting the integration

This integration is, in fact, two. The Signed Cookies integration is divided into the hash generator and the hash validator.

To install the integration, follow these steps:

  1. Access Azion Console > Marketplace.
  2. On the Marketplace homepage, look for the Signed Cookies integration.
  • You can search any integration by browsing through the cards or typing a keyword in the search bar.
  1. Once you’ve found the Signed Cookies - Hash Generator and Signed Cookies - Hash Validator cards, select one to go to the integration’s page.
  2. On the integration’s page, click the Get It Now button to install it.

A message appears indicating that your integration was successfully installed.

Then, follow the same steps to install the second integration.

Configuring the integration

Section titled Configuring the integration

To use the Signed Cookies integration, you must have at least one edge application to incorporate the new function.

To configure your integration, proceed as follows:

  1. On the upper-left corner, select Products menu > Edge Application on the BUILD section.
  2. On the listing page of your edge applications, select the one you want to use with the Signed Cookies integration.
  3. On the Main Settings tab, under Modules, locate the Edge Functions switch and turn it on to enable Functions on your edge application.
  4. Still under the Modules section, locate the Application Accelerator switch and turn it on to enable the Forward Cookies functionality for your application.
  1. Click the Save button.

You’ll receive a successful message indicating your edge application was updated.

Instantiating the integration

Section titled Instantiating the integration

To enable this function, while still on the Edge Application page:

  1. Select the Functions tab on the top list.
  2. Click the Add Function button.
  3. Choose an easy to remember name for your function.
  4. On the dropdown function menu, select the Signed Cookies function.

This action will load the function, showing a form with the function’s source code and, just above it, two tabs: Code and Args. By clicking the Code tab you will be able to navigate through the code but won’t be able to change it.

For the Hash Generator, the parameters are:

{
  "cookie_list": ["yummy_cookie", "tasty_cookie"],
  "cookie_secret": "ItIsASecret",
  "tampering_cookie_prefix": "tampering_protection"
}

Where:

  • cookie_list: defines the list of cookies that should be protected. For each cookie in this list, an encrypted version of the cookie will be appended to the response.
  • cookie_secret: defines a secret to protect the encrypted cookie against client-side manipulation.
  • tampering_cookie_prefix: defines the prefix to be used in the name of the encrypted cookies.

You should pay attention to the possible values added to the tampering_cookie_prefix.

For example, if the value of this argument is tampering_protection and the cookies are yummy_cookie and tasty_cookie, the encrypted cookies created by the function will be named tampering_protection_yummy_cookie and tampering_protection_tasty_cookie.

If this argument doesn’t have a valid value, then the default value azion_tampering is used. Therefore, in this case, the encrypted cookies would be azion_tampering_yummy_cookie and azion_tampering_tasty_cookie.

For the Hash Validator, the parameters are:

{
  "cookie_list": ["yummy_cookie", "tasty_cookie"],
  "cookie_secret": "ItIsASecret",
  "tampering_cookie_prefix": "tampering_protection",
  "tampering_violation_header_prefix": "azion-tampering-violation"
}

These are the same fields of the Signed Cookies - Hash Generator, with the addition of one more field, tampering_violation_header_prefix. It defines a prefix to the headers which the function will append to the request whenever a cookie violation is identified.

You should pay attention to the possible values added to tampering_violation_header_prefix.

For example, the Cookie-Violation-Any, Cookie-Violation-Counter, and Cookie-Violation-List headers will be created if the value of this argument is Cookie-Violation.

If this argument doesn’t have valid data, the defaults are Azion-Tampering-Violation-Any, Azion-Tampering-Violation-Counter, and Azion-Tampering-Violation-List.

Configuring a rule on Rules Engine

Section titled Configuring a rule on Rules Engine

Now you have to configure the rules you want (criteria and behavior) to apply to run your function.

First, you have to configure the response phase for the Rules Engine.

Still in the Edge Application page, follow these steps:

  1. Select the Rules Engine tab.
  2. Click the New Rule button and select Response Phase.
  3. Give an easy to remember name to your rule.
  4. Pass the criteria you need to in order to run your integration.
  5. On the behavior field, select Run Function from the dropdown menu.
  6. Select the Signed Cookies - Hash Generator function, according to the name you gave it in the instantiation step.
  7. Click the Save button.

Then, you have to configure the request phase for the Rules Engine.

Still in the Edge Application page, follow these steps:

  1. Select the Rules Engine tab.
  2. Click the New Rule button and select Request Phase.
  3. Give an easy to remember name to your rule.
  4. Pass the criteria you need to in order to run your integration.
  5. On the behavior field, select Run Function from the dropdown menu.
  6. Select the Signed Cookies - Hash Validator function, according to the name you gave it in the instantiation step.
    • You’ll also need a second behavior for the Signed Cookies - Hash Validator function: Forward Cookies.
  7. To add it, click the + button and select the Forward Cookies option from the dropdown menu.
  8. Click the Save button.

Done. You’ve successfully instantiated your two integrations and are now protected against attackers.

Contributors