For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sgnormo's avatar
sgnormo
Icon for Cirrus rankCirrus
Sep 20, 2022

iRule setting Cookie Secure and SameSite

Created an iRule to set a cookie attribute to secure and samesite to Strict.  The site admins are reporting that this works and then will not work.  The virtual server is not using any persistences. ...
event
gersbah's avatar
gersbah
Icon for Cirrostratus rankCirrostratus
Sep 20, 2022

[HTTP::cookie names] returns a list of all cookies in the response, so what I think happens is if the SessionID cookie is the only cookie being set, it works, otherwise it doesn't.

You can iterate through the list of cookies, like shown here in the Examples but for your case it's probably simpler to use this condition instead:

if { [HTTP::cookie exists "SessionID"] } {
HTTP::cookie secure SessionID enable
HTTP::cookie attribute SessionID insert "SameSite" "Strict"
}

 

sgnormo's avatar
sgnormo
Icon for Cirrus rankCirrus
Sep 21, 2022

I appreciate that explaination and snippet of code.  i am still learning here.

I think I found why it might be having issues when traffic orignates from one location, while all the other locations appears to be working fine.

 

Internet User --> F5 (SSLO and WAF)--->F5 (Local site with iRule)-->backend servers - Works only when browser is refreshed.

Internal Users --> F5 (Local site with iRule)-->backend servers - This works