Setting cookie attribute SameSite=None for certain User-Agents

[Jari Hietanen]

Hello,

 

I would like to set SameSite=None attribute for cookies set by LB backend servers.

 

I would like to set this attribute first only for clients using Chrome 80 browsers.  

 

How I should implement this?

 

I tried something like this:

 

add rewrite action append_samesite_cookie_act replace_all http.RES.full_Header "\"SameSite=None; Secure; path=/\"" -search "regex(re!(path=/\\; SameSite)|(path=/)!)"
add rewrite policy append_samesite_cookie_pol "http.RES.HEADER(\"Set-Cookie\").EXISTS && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"Chrome/80\")" append_samesite_cookie_act
bind cs vserver sso-test-cs-vip -policyName append_samesite_cookie_pol -priority 115 -gotoPriorityExpression NEXT -type RESPONSE

 

But I believe this is not working for Chrome80?

 

Is Citrix going to give any instructions how to tackle this quite serious issue for certain services such  SSO etc.?

 

 

 

[Bart Vermeersch]

There is https://support.citrix.com/article/CTX269469, but that looks similar to what you already have.

Do you get hits on the rewrite policy append_samesite_cookie_pol?

The regex is case sensitive, so it will not work if you have Path instead of path.

[Jari Hietanen]

I copied the syntax for my policy/action from that article.

 

These are copied from my Netscaler CLI:

 

add rewrite action append_samesite_cookie_act replace_all http.RES.full_Header "\"SameSite=None; Secure; path=/\"" -search "regex(re!(path=/\\; SameSite)|(path=/)!)"
add rewrite policy append_samesite_cookie_pol "http.RES.HEADER(\"Set-Cookie\").EXISTS" append_samesite_cookie_act

 

I do get hits for policy.    However When checking the JSESSIONID named cookie got from backend server,  I do see that SameSite  has not any value.

 

I would like to set SameSite=None for clients using Chrome version 80 and newer. 

The action should keep HttpOnly and Secure attributes set (like originals) received from the backed server.

 

 

I am using Chrome 80.0.3987.106  browser and NS12.1 51.19 build.

 

 

 

[Bart Vermeersch]

Are there other cookies that do get the SameSite attribute set to none?

[Jari Hietanen]

Nope.  There is another cookie but it is also missing that SameSite attribute.

[Bart Vermeersch]

What does the Set-Cookie header look like?

You can change the name and value.

[Jari Hietanen]

Set-Cookie header did not have the SameSite attribute at all.      

I tried to set SameSite=None attribute for cookie named JSESSIONID, but no luck.   

I used same action for this.  Only modified cookie name for new policy.

[Bart Vermeersch]

Can you post an example of the Set-Cookie header that you get in Chrome?

[Jari Hietanen]

Here one example:

 

Set-Cookie: uwa-IbFd1naBDpv1wejuExDy9hmZo6k=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure

[Bart Vermeersch]

The regex is case sensitive so it doesn't match Path=/

Perhaps you could use HTTP.RES.FULL_HEADER.TO_LOWER or change the search pattern to regex(re!(Path=/\\; SameSite)|(Path=/)!)

[Jari Hietanen]

Thanks a lot.  This seems to work well. :)

 

add rewrite action append_samesite_cookie_act replace_all http.RES.full_Header "\"SameSite=None; Secure; path=/\"" -search q{regex(re!(Path=/\\; SameSite)|(Path=/)!)}
add rewrite policy append_samesite_cookie_pol "HTTP.RES.HEADER(\"Set-Cookie\").EXISTS && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"Chrome/80\")" append_samesite_cookie_act

 

It seems that policy works well for Chrome 80 browser.   Now I would like to figure out how to modify this to cover also future Chrome versions (81 and onwards).

 

I am not sure if that rexex works also with other than chrome browser if they are going to need this SameSite=None parameter set in the future?

 

 

 

 

 

[Bart Vermeersch]

There are some known issues, so I would stick to recent versions of Chrome for now:

https://www.chromium.org/updates/same-site/incompatible-clients

 

I think the following regex will work: HTTP.REQ.HEADER(\"User-Agent\").REGEX_MATCH(re!Chrome\\/8[0-9]!)

Also, you might want to make sure that you only set the SameSite attribute to none for specific cookie names.