Jari Hietanen Posted February 13, 2020 Share Posted February 13, 2020 Hello, I would like to set SameSite=None attribute for cookies set by LB backend servers. I would like to set this attribute first only for clients using Chrome 80 browsers. How I should implement this? I tried something like this: add rewrite action append_samesite_cookie_act replace_all http.RES.full_Header "\"SameSite=None; Secure; path=/\"" -search "regex(re!(path=/\\; SameSite)|(path=/)!)" add rewrite policy append_samesite_cookie_pol "http.RES.HEADER(\"Set-Cookie\").EXISTS && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"Chrome/80\")" append_samesite_cookie_act bind cs vserver sso-test-cs-vip -policyName append_samesite_cookie_pol -priority 115 -gotoPriorityExpression NEXT -type RESPONSE But I believe this is not working for Chrome80? Is Citrix going to give any instructions how to tackle this quite serious issue for certain services such SSO etc.? Link to comment Share on other sites More sharing options...
Bart Vermeersch Posted February 14, 2020 Share Posted February 14, 2020 There is https://support.citrix.com/article/CTX269469, but that looks similar to what you already have. Do you get hits on the rewrite policy append_samesite_cookie_pol? The regex is case sensitive, so it will not work if you have Path instead of path. Link to comment Share on other sites More sharing options...
Jari Hietanen Posted February 14, 2020 Author Share Posted February 14, 2020 I copied the syntax for my policy/action from that article. These are copied from my Netscaler CLI: add rewrite action append_samesite_cookie_act replace_all http.RES.full_Header "\"SameSite=None; Secure; path=/\"" -search "regex(re!(path=/\\; SameSite)|(path=/)!)" add rewrite policy append_samesite_cookie_pol "http.RES.HEADER(\"Set-Cookie\").EXISTS" append_samesite_cookie_act I do get hits for policy. However When checking the JSESSIONID named cookie got from backend server, I do see that SameSite has not any value. I would like to set SameSite=None for clients using Chrome version 80 and newer. The action should keep HttpOnly and Secure attributes set (like originals) received from the backed server. I am using Chrome 80.0.3987.106 browser and NS12.1 51.19 build. Link to comment Share on other sites More sharing options...
Bart Vermeersch Posted February 14, 2020 Share Posted February 14, 2020 Are there other cookies that do get the SameSite attribute set to none? Link to comment Share on other sites More sharing options...
Jari Hietanen Posted February 14, 2020 Author Share Posted February 14, 2020 Nope. There is another cookie but it is also missing that SameSite attribute. Link to comment Share on other sites More sharing options...
Bart Vermeersch Posted February 14, 2020 Share Posted February 14, 2020 What does the Set-Cookie header look like? You can change the name and value. Link to comment Share on other sites More sharing options...
Jari Hietanen Posted February 14, 2020 Author Share Posted February 14, 2020 Set-Cookie header did not have the SameSite attribute at all. I tried to set SameSite=None attribute for cookie named JSESSIONID, but no luck. I used same action for this. Only modified cookie name for new policy. Link to comment Share on other sites More sharing options...
Bart Vermeersch Posted February 14, 2020 Share Posted February 14, 2020 Can you post an example of the Set-Cookie header that you get in Chrome? Link to comment Share on other sites More sharing options...
Jari Hietanen Posted February 14, 2020 Author Share Posted February 14, 2020 Here one example: Set-Cookie: uwa-IbFd1naBDpv1wejuExDy9hmZo6k=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure Link to comment Share on other sites More sharing options...
Bart Vermeersch Posted February 14, 2020 Share Posted February 14, 2020 The regex is case sensitive so it doesn't match Path=/ Perhaps you could use HTTP.RES.FULL_HEADER.TO_LOWER or change the search pattern to regex(re!(Path=/\\; SameSite)|(Path=/)!) Link to comment Share on other sites More sharing options...
Jari Hietanen Posted February 17, 2020 Author Share Posted February 17, 2020 Thanks a lot. This seems to work well. :) add rewrite action append_samesite_cookie_act replace_all http.RES.full_Header "\"SameSite=None; Secure; path=/\"" -search q{regex(re!(Path=/\\; SameSite)|(Path=/)!)} add rewrite policy append_samesite_cookie_pol "HTTP.RES.HEADER(\"Set-Cookie\").EXISTS && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"Chrome/80\")" append_samesite_cookie_act It seems that policy works well for Chrome 80 browser. Now I would like to figure out how to modify this to cover also future Chrome versions (81 and onwards). I am not sure if that rexex works also with other than chrome browser if they are going to need this SameSite=None parameter set in the future? Link to comment Share on other sites More sharing options...
Bart Vermeersch Posted February 19, 2020 Share Posted February 19, 2020 There are some known issues, so I would stick to recent versions of Chrome for now: https://www.chromium.org/updates/same-site/incompatible-clients I think the following regex will work: HTTP.REQ.HEADER(\"User-Agent\").REGEX_MATCH(re!Chrome\\/8[0-9]!) Also, you might want to make sure that you only set the SameSite attribute to none for specific cookie names. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now