Aflex to fix Chrome 80 Samesite Cookie attribute

colsoncolson Member

SameSite is making headlines because Google’s Chrome 80 browser will enforce a first-party default on all cookies that don’t have the attribute set. This will lead to repercussions if companies who rely on third-party cookie requests don’t make changes by the February 4 deadline.

Since we have a collaboration portal, we use third-party-cookies. The fix? Set the attribute to Samesite=none. Should be easy but I can't get it to work on the A10. The syntax is fine, but the rule never triggers. We get 0 hits. Environment below. No other aflex rules are affected and their content does not override the new rule.

slb virtual-server vip-123.456.78.9-http-cm 205.138.36.4 

 port 80 http 

  aflex http-https-redirect-w-302 

  aflex Remove-all-instances-server-header 

  aflex HTTP_REQUEST 

  aflex generic_samesite_none 

  service-group HTTPS-REDIRECT 

 port 443 https 

  name _123.456.78.9_HTTPS_443 

  access-list name WEB-Subnet source-nat-pool nat-123.456.78.1 

  aflex Disable-TLS10 

  aflex Remove-all-instances-server-header 

  aflex HTTP_REQUEST 

  aflex generic_samesite_none 

  service-group vip-123.456.78.9-https-serverfarm 

  template persist cookie vip-123.456.78.9-https-stickyfarm 

  template http NODEJS 

  template client-ssl test 

!

Rule -syntax is fine but rule just get's bypassed. Open to any other rule to accomplish the same thing. Or, can someone tell me why the rule won't trigger?

 when HTTP_RESPONSE {

set cookie_headers [HTTP::header values "Set-Cookie"]

HTTP::header remove "Set-Cookie"


foreach set_cookie_header $cookie_headers {

  HTTP::header insert "Set-Cookie" "${set_cookie_header}; SameSite=None"

}

}

Comments

  • mdunnmdunn Member

    I'm not an aflex expert, but I do know that if you have multiple aflex scripts bound to a single vPort, they are concatenated together and processed sequentially from top to bottom. Perhaps you have another aflex script triggering on HTTP_RESPONSE, and you'd need to add this logic to that other script's HTTP_RESPONSE section?

  • colsoncolson Member

    Thanks, That is a thought I had not considered. I also wondered if you could change the sequence of Aflex rules but not even sure that is possible. I will investigate. Thank you!

  • colsoncolson Member

    Thank you!!! I owe you a beer or ten. We've made some progress. The last item is the persistence cookie itself. I don't see an option to add the samesite=none attribute. httponly and secure are the only options for the persist template. Any ideas?



Sign In or Register to comment.