Forum Discussion

Preet_pk's avatar
Preet_pk
Icon for Cirrus rankCirrus
Jul 18, 2024

Samesite none;secure

Hi,

We have one application published in F5. Now there is a requirement to SameSite none;secure cookie attribute for the same web application. Please let me know the F5 irule for the same.

Below is the details


when HTTP_REQUEST { 
    switch [string tolower [HTTP::host]] { 
        red.maf.ae {
        pool RED-POOL } 
        }
}add 

Please share the irule syntax to SameSite none;secure cookie for red.maf.ae

application delivery
  • CA_Valli's avatar
    CA_Valli
    Icon for MVP rankMVP
    Jul 23, 2024

    Hello, you'll need to change HTTP headers in the response to achieve this. Keep in mind that "samesite" attribute is local to each cookie. So you should only set "none" for cross-site cookies. IMO it's better to configure a list here. Also, all of the cross-site cookies must be secure, or browsers won't accept them. 

     

    I've changed your iRule adding a few lines of code. 

    when HTTP_REQUEST { 
  set xscookiz 0 #since this variable will be checked for every response , we need to set a default value
  switch [string tolower [HTTP::host]] { 
    red.maf.ae {
      pool RED-POOL
      set xs_cookiz 1 #only this host will change cookie secirity attribute 
    } 
  }
}
when HTTP_RESPONSE {
  if {$xscookiz eq 1}{
    set rsp_cookiz [HTTP::cookie names] #we're listing all cookies, then cheking them agains a DataGroup object that contains all cookie names that need to be changed this way (you need to insert ALL cookies that require this behvior in the DG for this code to work, with case sensitive names). If it's faster to list cookies that do NOT require this, just change the "if matchclass .." statement to be if not(matchclass .. )
    foreach cookiename $rsp_cookiz {
      if {[matchclass $cookiename eq secureCookies ]}{ 
        HTTP::cookie attribute $cookiename insert "SameSite" "None"
        HTTP::cookie secure $cookiename enable
      }
   }
 }
}