Increased Security With First Party Cookies

HTTP cookies are an essential part of many web based applications, useful for tracking session and state information.  But they can also be exploited to leak information to third party sites using a ...
Published Mar 30, 2018
Version 1.0
cookie
iRules
LTM
samesite
security
DannyG's avatar
DannyG
Icon for Nimbostratus rankNimbostratus
Jan 15, 2020

Hi Chris, I did get it working on 11.6 at least. Our use case was to set samesite=none as well. The issue was on this line "  HTTP::header Set-Cookie [lindex $newcookies 0]" . Its started working when I added replace between HTTP:header and Set-Cookie like so "  HTTP::header replace Set-Cookie [lindex $newcookies 0]". Not sure if this is a syntax thing with my version but it cleared out the errors I was seeing. Below is what I am using including the the samesite=none.

 

when HTTP_RESPONSE {

  # Set-Cookie header can occur multiple times, treat as list

  set num [HTTP::header count Set-Cookie]

 

  if {$num > 0} {

    foreach set_cookie [HTTP::header values Set-Cookie] {

      # only modify if header does not have SameSite attribute

      set foundSameSite [string match -nocase "*SameSite*" $set_cookie ]

      if {[expr {!$foundSameSite} ]} {

        set set_cookie [concat $set_cookie "; SameSite=None"]

      }

      # collect modified and unmodified values in list newcookies

      lappend newcookies $set_cookie

    }

    if {$num == 1} {

      # overwrite existing

      HTTP::header replace Set-Cookie [lindex $newcookies 0]

    } else {

      # remove and replace

      HTTP::header remove Set-Cookie

      foreach set_cookie $newcookies {

        HTTP::header insert Set-Cookie $set_cookie

 

      }

    }

  }

}