Bug ID 880157: Unable to set SameSite attribute for AVR session cookie

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AVR(all modules)

Known Affected Versions:
15.0.0, 15.0.1,,,,

Fixed In:

Opened: Feb 12, 2020
Severity: 3-Major


When trying to set the 'Samesite' attribute using a Local traffic policy according to https://devcentral.f5.com/s/articles/increased-security-with-first-party-cookies-30715, you are able to set the SameSite attribute for all cookies except for the AVR user session cookie.


Can't add SameSite attribute to AVR cookies.


-- Use Google Chrome browser. -- Page load time or user sessions collecting in HTTP Analytics profile is checked for the related virtual server.



Fix Information

Added an internal parameter, avr_cookie_add_attributes, that allows the BIG-IP system administrator to add a string at the end of the AVR Set-Cookie HTTP response header. Using this internal parameter, the administrator can add the SameSite=None string to opt-out from the Chrome browser modificatio, allowing the AVR cookie behave as before. This change is global and affects all AVR system cookies (page load time & user sessions).

Behavior Change