Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Setting SameSite flag on ASM cookie using ASM system variables

Hello,

I've a question, can we add samesite flag to ASM cookie with the same way we do for httponly and secure flags through creating system variables using the below KB: https://support.f5.com/csp/article/K13787

For Example: * Parameter Name: cookie_samesite_attr * Parameter Value: strict (or lax depending on the application need)

Thanks in advance.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

System variable aren't getting created when /usr/share/ts/bin/add_del_internal add [cookie_secure_attr | cookie_httponly_attr] is run. Setting the value to 1 enables setting the flag, setting the value to 0 disables setting the flag.

I think this issue is worth a call to support, to see if there is an RFE.

0
Comments on this Answer
Comment made 2 weeks ago by Mohamed Sayed 2

Hi rob,

Thanks for your reply, this is clear now, i saw the below link to samesite flag insertion: https://devcentral.f5.com/articles/increased-security-with-first-party-cookies-30715

But it only work for LTM cookie and server-side cookie and it didn't modify the ASM cookie i think this is because the ASM is processed after LTM and IRULE event handler "HTTP_Response" for example can't catch the ASM cookie, any idea how to achieve that?

0
Comment made 2 weeks ago by Mohamed Sayed 2

For anyone who is interested on this topic, ASM cookie doesn't support samesite flag.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can modify ASM cookies and add SameSite attribute (or do any other header manipulation) using an iRule and HTP_RESPONSE_RELEASE event, see:

K14211: Using an iRule to parse post-ASM requests and responses

https://support.f5.com/csp/article/K14211

0