Aflex to fix Chrome 80 Samesite Cookie attribute
SameSite is making headlines because Google’s Chrome 80 browser will enforce a first-party default on all cookies that don’t have the attribute set. This will lead to repercussions if companies who rely on third-party cookie requests don’t make changes by the February 4 deadline.
Since we have a collaboration portal, we use third-party-cookies. The fix? Set the attribute to Samesite=none. Should be easy but I can't get it to work on the A10. The syntax is fine, but the rule never triggers. We get 0 hits. Environment below. No other aflex rules are affected and their content does not override the new rule.
slb virtual-server vip-123.456.78.9-http-cm 205.138.36.4
port 80 http
aflex http-https-redirect-w-302
aflex Remove-all-instances-server-header
aflex HTTP_REQUEST
aflex generic_samesite_none
service-group HTTPS-REDIRECT
port 443 https
name _123.456.78.9_HTTPS_443
access-list name WEB-Subnet source-nat-pool nat-123.456.78.1
aflex Disable-TLS10
aflex Remove-all-instances-server-header
aflex HTTP_REQUEST
aflex generic_samesite_none
service-group vip-123.456.78.9-https-serverfarm
template persist cookie vip-123.456.78.9-https-stickyfarm
template http NODEJS
template client-ssl test
!
Rule -syntax is fine but rule just get's bypassed. Open to any other rule to accomplish the same thing. Or, can someone tell me why the rule won't trigger?
when HTTP_RESPONSE {
set cookie_headers [HTTP::header values "Set-Cookie"]
HTTP::header remove "Set-Cookie"
foreach set_cookie_header $cookie_headers {
HTTP::header insert "Set-Cookie" "${set_cookie_header}; SameSite=None"
}
}
Comments
I'm not an aflex expert, but I do know that if you have multiple aflex scripts bound to a single vPort, they are concatenated together and processed sequentially from top to bottom. Perhaps you have another aflex script triggering on HTTP_RESPONSE, and you'd need to add this logic to that other script's HTTP_RESPONSE section?
Thanks, That is a thought I had not considered. I also wondered if you could change the sequence of Aflex rules but not even sure that is possible. I will investigate. Thank you!
Thank you!!! I owe you a beer or ten. We've made some progress. The last item is the persistence cookie itself. I don't see an option to add the samesite=none attribute. httponly and secure are the only options for the persist template. Any ideas?