cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Samesite cookies on 1600's

Joe_Pipitone
Nimbostratus
Nimbostratus

We have 1600's running 11.6.0 (End of life) and we are wondering if anyone happens to know if these support the new SameSite cookie policy settings as outlined in this article: https://devcentral.f5.com/s/articles/increased-security-with-first-party-cookies-30715

 

I was unable to find those parameters under Policies. Our current web servers have been patched with the Windows update required to address Samesite, however we need to confirm that our F5's will not cause issues, or if any further actions need to be taken on these 1600's.

 

Thanks for any info anyone may have!

1 ACCEPTED SOLUTION

Simon_Blakely
F5 Employee
F5 Employee

You cannot fix SameSite cookie issues on 11.6.x with LTM policies - the required feature are not supported.

 

You will need to use the irule suggested in that article.

However, if your pool members have addressed the SameSite cookie attributes, then that irule may not be needed.

 

If the BigIP is adding cookies to the response (persistence cookies, ASM cookies, APM portal cookies), then those cookies will not have the correct attributes set.

 

In this case, you need to that irule, but the event needs to be HTTP_RESPONSE_RELEASE

 

BigIP cookies are added after HTTP_RESPONSE (which is just the response from the pool member), so to modify the BigIP cookies, you need to change them just before the final response is released to the client.

 

when HTTP_RESPONSE_RELEASE { # Set-Cookie header can occur multiple times, treat as list set num [HTTP::header count Set-Cookie] if {$num > 0} { foreach set_cookie [HTTP::header values Set-Cookie] { # only modify if header does not have SameSite attribute set foundSameSite [string match -nocase "*SameSite*" $set_cookie ] if {[expr {!$foundSameSite} ]} { set set_cookie [concat $set_cookie "; SameSite"] } # collect modified and unmodified values in list newcookies lappend newcookies $set_cookie } if {$num == 1} { # overwrite existing HTTP::header replace Set-Cookie [lindex $newcookies 0] } else { # remove and replace HTTP::header remove Set-Cookie foreach set_cookie $newcookies { HTTP::header insert Set-Cookie $set_cookie } } } }  

 

View solution in original post

2 REPLIES 2

Simon_Blakely
F5 Employee
F5 Employee

You cannot fix SameSite cookie issues on 11.6.x with LTM policies - the required feature are not supported.

 

You will need to use the irule suggested in that article.

However, if your pool members have addressed the SameSite cookie attributes, then that irule may not be needed.

 

If the BigIP is adding cookies to the response (persistence cookies, ASM cookies, APM portal cookies), then those cookies will not have the correct attributes set.

 

In this case, you need to that irule, but the event needs to be HTTP_RESPONSE_RELEASE

 

BigIP cookies are added after HTTP_RESPONSE (which is just the response from the pool member), so to modify the BigIP cookies, you need to change them just before the final response is released to the client.

 

when HTTP_RESPONSE_RELEASE { # Set-Cookie header can occur multiple times, treat as list set num [HTTP::header count Set-Cookie] if {$num > 0} { foreach set_cookie [HTTP::header values Set-Cookie] { # only modify if header does not have SameSite attribute set foundSameSite [string match -nocase "*SameSite*" $set_cookie ] if {[expr {!$foundSameSite} ]} { set set_cookie [concat $set_cookie "; SameSite"] } # collect modified and unmodified values in list newcookies lappend newcookies $set_cookie } if {$num == 1} { # overwrite existing HTTP::header replace Set-Cookie [lindex $newcookies 0] } else { # remove and replace HTTP::header remove Set-Cookie foreach set_cookie $newcookies { HTTP::header insert Set-Cookie $set_cookie } } } }  

 

Joe_Pipitone
Nimbostratus
Nimbostratus

Thank you very much for your insight - it is much appreciated.