Forum Discussion
Preet_pk
Cirrus
CirrusSamesite none;secure
Hi, We have one application published in F5. Now there is a requirement to SameSite none;secure cookie attribute for the same web application. Please let me know the F5 irule for the same. Below is...
CA_Valli
MVP
MVPHello, you'll need to change HTTP headers in the response to achieve this. Keep in mind that "samesite" attribute is local to each cookie. So you should only set "none" for cross-site cookies. IMO it's better to configure a list here. Also, all of the cross-site cookies must be secure, or browsers won't accept them.
I've changed your iRule adding a few lines of code.
when HTTP_REQUEST {
set xscookiz 0 #since this variable will be checked for every response , we need to set a default value
switch [string tolower [HTTP::host]] {
red.maf.ae {
pool RED-POOL
set xs_cookiz 1 #only this host will change cookie secirity attribute
}
}
}
when HTTP_RESPONSE {
if {$xscookiz eq 1}{
set rsp_cookiz [HTTP::cookie names] #we're listing all cookies, then cheking them agains a DataGroup object that contains all cookie names that need to be changed this way (you need to insert ALL cookies that require this behvior in the DG for this code to work, with case sensitive names). If it's faster to list cookies that do NOT require this, just change the "if matchclass .." statement to be if not(matchclass .. )
foreach cookiename $rsp_cookiz {
if {[matchclass $cookiename eq secureCookies ]}{
HTTP::cookie attribute $cookiename insert "SameSite" "None"
HTTP::cookie secure $cookiename enable
}
}
}
}
