iRule to set SameSite for compatible clients and remove it for incompatible clients (LTM|ASM|APM)

A bunch of us have been refining approaches to help customers handle the new browser enforcement of the HTTP cookie SameSite attribute. I think we have a pretty solid approach now to handle compatib...
Published Feb 11, 2020
Version 1.0
application delivery
iRules
samesite
Simon_Kowallik's avatar
Simon_Kowallik
Icon for Employee rankEmployee
Feb 25, 2020

 Unfortunately the behaviour isn't consistent across incompatible clients. SameSite=None wasn't introduced in the first drafts of the RFC, which might be the reason why there is inconsistent behaviour, which ranges from treating SameSite=None as SameSite=strict to ignoring the cookie.

 

Here is the list of incompatible user-agents according to google chromium:

https://www.chromium.org/updates/same-site/incompatible-clients

 

Here is a quick read on this topic:

https://www.linkedin.com/pulse/samesite-cookies-your-legacy-web-apps-simon-kowallik