Options
cookie persistence for PCI audit
![[Deleted User]](https://w2.vanillicon.com/v2/2e87888bd9b51a94a6457c8f7f609a9c.svg)
in aFleX
Posted by brunov
To successfully pass a PCI compliancy test, one of my clients moved from cookie persistency to aFleX persist uie persistence. The cookie persisten uses the same cookie value for each server. The below aflex creates a random 10 character string for each user.
To successfully pass a PCI compliancy test, one of my clients moved from cookie persistency to aFleX persist uie persistence. The cookie persisten uses the same cookie value for each server. The below aflex creates a random 10 character string for each user.
| Code: |
when HTTP_REQUEST {
# check to see if there is an existing cookie, and persist to that value
set cookievalue [HTTP::cookie value LBpersist]
set persistvalue [persist lookup uie $cookievalue all]
if { $persistvalue ne "" } {
persist uie $cookievalue
}
}
when HTTP_RESPONSE {
# if there is no existing cookie, calculate a random 10 character
# string based on the defined char set.
# this can be modified by adding to the char set, and increasing the for loop ($i < 10)
if { $persistvalue == "" } {
set char_set {0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K a b c d e f g}
set len 28
set cookieval {}
for {set i 0} {$i < 10} {incr i} {
set index [expr {int(rand()*$len)}]
append cookieval [lindex $char_set $index]
}
# insert the cookie into the server response, and add it to the persistence list.
HTTP::cookie insert name LBpersist value $cookieval
persist add uie $cookieval 1200 }
}
|
0