Jump to content
Welcome to our new Citrix community!

rewriting named cookie with samesite attribute


Recommended Posts

Hello,

I have a bit of an issue that I am hoping to resolve using a netscaler action.

We are using a VPX running on top of an SDX both running NS12.1 54.16.nc.

A .net application that we run is compiled in v 4.5 of .net. With the changes to to chrome & firefox in the coming weeks / months regarding samesite attribute we need to add a samesite attribute to a particular named cookie if it exists. There is a rewrite action & policy already linked to a website with the following set.

 

rewrite policy rw_pol_secure_cookie with the expression HTTP.RES.HEADER("set-cookie").EXISTS
rewrite action rw_act_secure_cookieof type Replace_ALL expression to choose http.RES.full_Header expression http.RES.full_Header regular expression re!(path=/; secure; httponly)|(path=/; HttpOnly)|(path=/; secure)|(path=/; httponly)|(path=/)!


could I create a new policy with the expression http.RES.SET_COOKIE.COOKIE("my_cookie") (so only this cookie is amended)

use the same action but put in the expression "path=/; secure; httponly; samesite=none" so that the same site is added

 

I do not know enough about asp.net to write a website to test this on my own vpx. I cannot seem to find a free precompiled IIS page so that I can apply this setting.

 

Thanks,

Matt

Link to comment
Share on other sites

  • 2 weeks later...

We are also having this issue, we've already attempted some changes in .NET which basically forced us to upgrade to .NET 4.7, however, we've had mixed results at best. We feel the least invasive way for us to address this would be to be able to re-write the SameSite attribute via NetScaler. 

Thanks,

Jon

Link to comment
Share on other sites

I spent some time on this today to see if I could come up with my own solution. I have not tested this Regex out yet in Netscaler but I tested it externally. The overall approach is similar to the article mentioned here. I'm not sure if NetScaler supports using Regex groups so that's why I had to come-up with a huge expanded Regex. Secondly, in their example they seem inconsistent with the escape characters in their example so modifications will probably need to be made.


Regardless, here's what I came up with so-far:

(path=\/; HttpOnly; Secure; SameSite=None|Lax|Strict)|(path=\/; HttpOnly; Secure)|(path=\/; HttpOnly; SameSite=None|Lax|Strict)|(path=\/; HttpOnly)|(path=\/; Secure; SameSite=None|Lax|Strict)|(path=\/; Secure)|(path=\/; SameSite=None|Lax|Strict)|(path=\/)|(HttpOnly; Secure; SameSite=None|Lax|Strict)|(HttpOnly; Secure)|(HttpOnly; SameSite=None|Lax|Strict)|(HttpOnly)|(Secure; SameSite=None|Lax|Strict)|(Secure)|(SameSite=None|Lax|Strict)


Let me know if you have any success.

Link to comment
Share on other sites

We were able to get this working in our environment. We ended up splitting the re-writes into two separate actions and policies, primarily because with the original setup posted above it was too long for just one but we also realized we didn't want every cookie to be set as HttpOnly as some of the cookies need to be accessible by JavaScript.

act_cookie_SameSite
 Search (Regular Expression)

Quote

(SameSite=Lax)|(SameSite=Strict)

 for the Expression (what we're replacing the match with):

Quote

"SameSite=None"

 

act_cookie_Secure

Search (Regular Expression)

Quote

(path=/; Secure)|(path=/)

for the Expression (what we're replacing the match with):

Quote

"path=/; Secure"

 

Hope that helps.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...