Lightboard Lessons: HTTP Cookie SameSite Attribute

In this episode of Lightboard Lessons, Jason covers the SameSite attribute on HTTP cookies, and the implications for site developers and end users when Chrome begins enforcing a default behavior set to "lax" later this month in a limited rollout for Chrome v80 stable users. This should be addressed in the applications, but BIG-IP can help via iRules and local traffic policies as briefly described in the video, as well as ASM module settings and through NGINX directives.

Resources

Start Here:
- Article: Handling Incompatible Clients
- AskF5 Knowledge Article on SameSite enforcement: K03346798
- Article: Increased Security with First Party Cookies
Additional iRule options:
- Codeshare: Setting SameSite on LTM Persistence Cookies
- Codeshare: Setting SameSite on All Web App & BIG-IP Cookies
- Codeshare: Add SameSite Attribute to APM Cookies
- Article: Detecting SameSite=None Incompatible Browsers
ASM & NGINX Configuration Options
- ASM Manual info on SameSite
- NGINX proxy_cookie_path (Example: proxy_cookie_path / "/; secure; HttpOnly; SameSite=none";)
- NGINX sticky cookie (Example: sticky cookie srv_id expires=1h httponly secure “path=/; SameSite”;)
Industry Insight
- Chromium Updates on SameSite (offsite)
- CSRF is (really) dead (offsite)

Published Feb 06, 2020

Version 1.0

NGINX Open Source

Icon for Admin rank

Admin

Joined January 20, 2005

Icon for Admin rank

Admin

Joined January 20, 2005

kend
Altostratus
Aug 31, 2022
How would I accomplish setting the SameSite attribute to none using a local policy on the LTM instead of an iRule?