SameSite cookies and APM with v15
Hi, so i was just going to implement adding the samesite attribute to our APM cookies (MRHSession etc) when i failed miserably, because it seems the change, that you cannot read any HTTP headers after having an irule respond command also applies to APM responses..... when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST priority 50 { set userAgent [HTTP::header User-Agent] } when HTTP_RESPONSE_RELEASE priority 50 { if {![info exists userAgent]} { return } if {![call /Common/RuleUtil::check_samesite_config $userAgent]} { unset -nocomplain userAgent return } unset -nocomplain userAgent set named_cookies [list {MRHSession} {LastMRH_Session}] foreach cookie $named_cookies { if { [HTTP::cookie exists $cookie] } { HTTP::cookie attribute $cookie remove {SameSite} HTTP::cookie attribute $cookie insert {SameSite} "None" HTTP::cookie secure $cookie enable } } unset -nocomplain $named_cookies } This results in: Aug 24 11:52:49 redacted err tmm[20803]: 01220001:3: TCL error: /Common/SET_SAMESITE_APM_COOKIES <HTTP_RESPONSE_RELEASE> - Can't call after responding - ERR_NOT_SUPPORTED (line 23)invoked from within "HTTP::cookie exists $cookie"("foreach" body line 3)invoked from within "foreach cookie $named_cookies { if { [HTTP::cookie exists $cookie] } { log loca..." And after a quick check i noticed that HTTP::has_responded does indeed return 1 for APM events. So, how are we supposed to support SameSite attributes on APM cookies in v15? Thanks! Rene544Views0likes0CommentsSet Cookie SameSite = None
Hello Cool People. I'm fairly new to F5 and was wondering if there is an easy way to set the SameSite Cookie attribute to "None". I did look at the F5 irule article and don't quite understand the code as its too long. The goal was just to set SameSite = None for our site that goes trough f5. We have version 11 and was looking at this article https://github.com/f5devcentral/irules-toolbox/blob/master/security/http/cookies/samesite-attributes-pre-v12.tcl. Does this good to go by just making an irule with this entry and set it to our pool or are there any adjustments needed for our environment? Appreciate any response. Best,3.1KViews1like2CommentsSetting SameSite flag on ASM cookie using ASM system variables
Hello, I've a question, can we add samesite flag to ASM cookie with the same way we do for httponly and secure flags through creating system variables using the below KB: https://support.f5.com/csp/article/K13787 For Example: * Parameter Name: cookie_samesite_attr * Parameter Value: strict (or lax depending on the application need) Thanks in advance.808Views1like3CommentsSamesite cookies on 1600's
We have 1600's running 11.6.0 (End of life) and we are wondering if anyone happens to know if these support the new SameSite cookie policy settings as outlined in this article: https://devcentral.f5.com/s/articles/increased-security-with-first-party-cookies-30715 I was unable to find those parameters under Policies. Our current web servers have been patched with the Windows update required to address Samesite, however we need to confirm that our F5's will not cause issues, or if any further actions need to be taken on these 1600's. Thanks for any info anyone may have!Solved657Views0likes2CommentsConfigure iRule for CWE ID 352 CWE name Cross-Site Request Forgery (CSRF) vulnerability
How to configure the irule to fix the vulnerability CWE ID 352 CWE name Cross-Site Request Forgery (CSRF) in F5. FA_Session cookie is set by f5 load balancer to route request to same app servers from which response was sent. Can you please set the following attribute on F5 cookie "SameSite=strict"326Views0likes1Comment