I've a question, can we add samesite flag to ASM cookie with the same way we do for httponly and secure flags through creating system variables using the below KB:
* Parameter Name: cookie_samesite_attr
* Parameter Value: strict (or lax depending on the application need)
Thanks in advance.
System variable aren't getting created when /usr/share/ts/bin/add_del_internal add [cookie_secure_attr | cookie_httponly_attr] is run. Setting the value to 1 enables setting the flag, setting the value to 0 disables setting the flag.
I think this issue is worth a call to support, to see if there is an RFE.
Thanks for your reply, this is clear now, i saw the below link to samesite flag insertion:
But it only work for LTM cookie and server-side cookie and it didn't modify the ASM cookie i think this is because the ASM is processed after LTM and IRULE event handler "HTTP_Response" for example can't catch the ASM cookie, any idea how to achieve that?
For anyone who is interested on this topic, ASM cookie doesn't support samesite flag.
You can modify ASM cookies and add SameSite attribute (or do any other header manipulation) using an iRule and HTP_RESPONSE_RELEASE event, see:
K14211: Using an iRule to parse post-ASM requests and responses