Add SameSite attribute to APM Cookies
Published Jan 30, 2020
Version 1.0Was this article helpful?
Thanks Yann! We've been testing with this more conservative iRule. I think this may work for some (most?) LTM+APM use cases and should execute less code less often. However, as you know APM is deployed in a lot of different ways and it's going to be hard to know for sure what the impacts are before we get bigger user populations on Chrome 80.
Any feedback is welcome.
edit: changed "Lax" to "None".
It's been brought up that this issue will also impact LTM persistence cookies, which have a much bigger use case.
when CLIENT_ACCEPTED {
# This allows events to fire when APM is doing policy operations
ACCESS::restrict_irule_events disable
}
when HTTP_RESPONSE_RELEASE {
# APM cookies are set only in 302s
if { [HTTP::status] == "302" } {
# Make sure we have a mrhsession cookie here
if { [HTTP::cookie exists "MRHSession"] } {
HTTP::cookie attribute "MRHSession" insert "SameSite" "None"
} else {
#log local0. "No MRHSession Found"
}
}
}