Jump to content
Welcome to our new Citrix community!

Setting cookie attribute SameSite=None for certain User-Agents


Jari Hietanen

Recommended Posts

Hello,

 

I would like to set SameSite=None attribute for cookies set by LB backend servers.

 

I would like to set this attribute first only for clients using Chrome 80 browsers.  

 

How I should implement this?

 

I tried something like this:

 

add rewrite action append_samesite_cookie_act replace_all http.RES.full_Header "\"SameSite=None; Secure; path=/\"" -search "regex(re!(path=/\\; SameSite)|(path=/)!)"
add rewrite policy append_samesite_cookie_pol "http.RES.HEADER(\"Set-Cookie\").EXISTS && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"Chrome/80\")" append_samesite_cookie_act
bind cs vserver sso-test-cs-vip -policyName append_samesite_cookie_pol -priority 115 -gotoPriorityExpression NEXT -type RESPONSE

 

But I believe this is not working for Chrome80?

 

Is Citrix going to give any instructions how to tackle this quite serious issue for certain services such  SSO etc.?

 

 

 

Link to comment
Share on other sites

I copied the syntax for my policy/action from that article.

 

These are copied from my Netscaler CLI:

 

add rewrite action append_samesite_cookie_act replace_all http.RES.full_Header "\"SameSite=None; Secure; path=/\"" -search "regex(re!(path=/\\; SameSite)|(path=/)!)"
add rewrite policy append_samesite_cookie_pol "http.RES.HEADER(\"Set-Cookie\").EXISTS" append_samesite_cookie_act

 

I do get hits for policy.    However When checking the JSESSIONID named cookie got from backend server,  I do see that SameSite  has not any value.

 

I would like to set SameSite=None for clients using Chrome version 80 and newer. 

The action should keep HttpOnly and Secure attributes set (like originals) received from the backed server.

 

 

I am using Chrome 80.0.3987.106  browser and NS12.1 51.19 build.

 

 

 

Link to comment
Share on other sites

Thanks a lot.  This seems to work well. :)

 

add rewrite action append_samesite_cookie_act replace_all http.RES.full_Header "\"SameSite=None; Secure; path=/\"" -search q{regex(re!(Path=/\\; SameSite)|(Path=/)!)}
add rewrite policy append_samesite_cookie_pol "HTTP.RES.HEADER(\"Set-Cookie\").EXISTS && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"Chrome/80\")" append_samesite_cookie_act

 

It seems that policy works well for Chrome 80 browser.   Now I would like to figure out how to modify this to cover also future Chrome versions (81 and onwards).

 

I am not sure if that rexex works also with other than chrome browser if they are going to need this SameSite=None parameter set in the future?

 

 

 

 

 

Link to comment
Share on other sites

There are some known issues, so I would stick to recent versions of Chrome for now:

https://www.chromium.org/updates/same-site/incompatible-clients

 

I think the following regex will work: HTTP.REQ.HEADER(\"User-Agent\").REGEX_MATCH(re!Chrome\\/8[0-9]!)

Also, you might want to make sure that you only set the SameSite attribute to none for specific cookie names.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...