NimbostratusHello,
I've a question, can we add samesite flag to ASM cookie with the same way we do for httponly and secure flags through creating system variables using the below KB: https://support.f5.com/csp/article/K13787
For Example: * Parameter Name: cookie_samesite_attr * Parameter Value: strict (or lax depending on the application need)
Thanks in advance.
CirrostratusSystem variable aren't getting created when /usr/share/ts/bin/add_del_internal add [cookie_secure_attr | cookie_httponly_attr] is run. Setting the value to 1 enables setting the flag, setting the value to 0 disables setting the flag.
I think this issue is worth a call to support, to see if there is an RFE.
CirrocumulusYou can modify ASM cookies and add SameSite attribute (or do any other header manipulation) using an iRule and HTP_RESPONSE_RELEASE event, see:
K14211: Using an iRule to parse post-ASM requests and responses
https://support.f5.com/csp/article/K14211
Here's an iRule that will set SameSite on cookies that the web app, ASM or other BIG-IP modules set via the Set-Cookie header:
https://devcentral.f5.com/s/articles/iRule-to-set-SameSite-for-compatible-clients-and-remove-it-for-incompatible-clients-LTM-ASM-APM
Aaron
