For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rene_C_'s avatar
Rene_C_
Icon for Nimbostratus rankNimbostratus
Aug 24, 2020

SameSite cookies and APM with v15

Hi,

so i was just going to implement adding the samesite attribute to our APM cookies (MRHSession etc) when i failed miserably, because it seems the change, that you cannot read any HTTP headers after having an irule respond command also applies to APM responses.....

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST priority 50 {
    set userAgent [HTTP::header User-Agent]
}

when HTTP_RESPONSE_RELEASE priority 50 {
  if {![info exists userAgent]} {
      return
  }
  
  if {![call /Common/RuleUtil::check_samesite_config $userAgent]} {
      unset -nocomplain userAgent
      return
  }
  unset -nocomplain userAgent

  set named_cookies [list {MRHSession} {LastMRH_Session}]    

	foreach cookie $named_cookies {
		if { [HTTP::cookie exists $cookie] } {
			HTTP::cookie attribute $cookie remove {SameSite}
			HTTP::cookie attribute $cookie insert {SameSite} "None"
			HTTP::cookie secure $cookie enable
		}
	}
  unset -nocomplain $named_cookies
}

This results in:

Aug 24 11:52:49 redacted err tmm[20803]: 01220001:3: TCL error: /Common/SET_SAMESITE_APM_COOKIES <HTTP_RESPONSE_RELEASE> - Can't call after responding - ERR_NOT_SUPPORTED (line 23)  invoked from within "HTTP::cookie exists $cookie"  ("foreach" body line 3)  invoked from within "foreach cookie $named_cookies { if { [HTTP::cookie exists $cookie] } { log loca..."

And after a quick check i noticed that HTTP::has_responded does indeed return 1 for APM events.

So, how are we supposed to support SameSite attributes on APM cookies in v15?

Thanks!

Rene

application delivery
BIG-IP Access Policy Manager (APM)
iRules
LTM
samesite
No RepliesBe the first to reply