cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
JRahm
Community Manager
Community Manager

Problem this snippet solves:

UPDATE: Note that the work for SameSite is evolving rapidly and this new entry should be considered over the iRule contents below.


Chrome (and likely other browsers to follow) will enforce the SameSite attribute on HTTP cookies to Lax beginning soon (initial limited rollout week of Feb 17th, 2020) which could impact sites that don't explicitly set the attribute. This iRule will set the SameSite attribute in all BIG-IP and app cookies found in Set-Cookie headers. Note that this would not modify cookies set on the client using javascript or other methods.


Contributed by: hoolio

How to use this snippet:

Apply the iRule to the appropriate virtual servers.

Code :

when HTTP_RESPONSE_RELEASE {
	# Set all BIG-IP and app cookies found in Set-Cookie headers using this iRule to:
	# none: Cookies will be sent in both first-party context and cross-origin requests; 
	#	however, the value must be explicitly set to None and all browser requests must 
	#	follow the HTTPS protocol and include the Secure attribute which requires an encrypted 
	#	connection. Cookies that don't adhere to that requirement will be rejected.
	#	Both attributes are required together. If just None is specified without Secure or 
	#	if the HTTPS protocol is not used, the third-party cookie will be rejected.
	#
	# lax: Cookies will be sent automatically only in a first-party context and with HTTP GET requests. 
	#	SameSite cookies will be withheld on cross-site sub-requests, such as calls to load images or iframes, 
	#	but will be sent when a user navigates to the URL from an external site, e.g., by following a link.
	#
	# strict: browser never sends cookies in requests to third party domains
	#
	#	Above definitions from: https://docs.microsoft.com/en-us/microsoftteams/platform/resources/samesite-cookie-update 
	#
	# Note: this iRule would not modify cookies set on the client using Javascript or other methods outside of Set-Cookie headers!
	set samesite_security "none"

	# Log debug to /var/log/ltm? (1=yes, 0=no)
	set cookie_debug 1

	set cookie_names [HTTP::cookie names]
	if {$cookie_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: \[HTTP::header values {Set-Cookie}\]: [HTTP::header values {Set-Cookie}]"}
	if {$cookie_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: \$cookie_names ([llength $cookie_names]): $cookie_names"}
	foreach a_cookie $cookie_names {
		# Remove any prior instances of SameSite attributes
		HTTP::cookie attribute $a_cookie remove {samesite} 

		# Insert a new SameSite attribute
		HTTP::cookie attribute $a_cookie insert {samesite} $samesite_security

		# If samesite attribute is set to None, then the Secure flag must be set for browsers to accept the cookie
		if {[string equal -nocase $samesite_security "none"]} {
			HTTP::cookie secure $a_cookie enable
		}
	}
	if {$cookie_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Set-Cookie header values: [HTTP::header values {Set-Cookie}]"}
}

Tested this on version:

13.0
Comments
Hoolio
F5 Employee
F5 Employee

I think this latest iRule handles more scenarios for SameSite, including user-agents that don't support cookies with SameSite=None.

 

https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-...

 

Aaron

David_Scott
F5 Employee
F5 Employee

if you're on a version that doesn't support the HTTP::cookie attribute method (v11) here's a way to add the attribute. Ideally you'd upgrade to v12+ but if that's not an option this may help get you by until you can. Obviously change SameSitee=none to whatever you need it set to.

when HTTP_RESPONSE { set COOKIE_VAL [HTTP::header values "Set-Cookie"] foreach COOKIE_NAME $COOKIE_VAL { HTTP::header insert "Set-Cookie" "${COOKIE_NAME}; SameSite=none" HTTP::cookie secure ${COOKIE_NAME} enable }   }

 

leonm_01
Nimbostratus
Nimbostratus

IRule from David Scott worked perfectly (BIG-IP 12.1.3.6 Build 0.0.3 Point Release 6)

Thanks for creating and sharing 👌 👍

Vishnu2212
Nimbostratus
Nimbostratus

where do i define the cookie name in this iRule ? and also i need to do it for multiple cookies

Version history
Last update:
‎05-Feb-2020 22:00
Updated by:
Contributors