iRule to set SameSite for compatible clients and remove it for incompatible clients (LTM|ASM|APM)
A bunch of us have been refining approaches to help customers handle the new browser enforcement of the HTTP cookie SameSite attribute. I think we have a pretty solid approach now to handle compatib...
Published Feb 11, 2020
Version 1.0
axelfelix
Nimbostratus
NimbostratusHello ,
Nice Irule and work but I get an issue with it, I have a F5 with version BIG-IP 13.1.3.2 Build 0.0.4 Point Release 2.
I get the error below:
- 01070151:3: Rule [/Common/SameSite] error: /Common/SameSite:192: error: [undefined procedure: HTTP::has_responded][HTTP::has_responded]
So regarding the documentation, the 'HTTP::has_responded' variable appears after version BIGIP-14.0.
Then I've checked the GitHub repo dedicated to prior version 12 (https://github.com/f5devcentral/irules-toolbox/blob/master/security/http/cookies/samesite-attributes-pre-v12.tcl) and I can see the the condition below is not taken into consideration:
when HTTP_RESPONSE_RELEASE priority 900 {
# Don't do anything if a response has already been triggered for this request
if {[HTTP::has_responded]}{
if { $samesite_debug }{ log local0. "$prefix Exiting as response has already been triggered by another configuration option" }
# exit this event in this iRule
return
}So I have decided to test the Irule (https://github.com/f5devcentral/irules-toolbox/blob/master/security/http/cookies/samesite-attributes.tcl) removing the part below:
# Don't do anything if a response has already been triggered for this request
if {[HTTP::has_responded]}{
if { $samesite_debug }{ log local0. "$prefix Exiting as response has already been triggered by another configuration option" }
# exit this event in this iRule
return
}It seems to work correctly, but could you confirm if doing that we can get side effects or not, what could be the exact impact ?
Do you have any advice to replace it otherwise by another method ?
Many thanks in advance.
Have a nice day,
Alex