Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AVR
Known Affected Versions:
15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4
Fixed In:
16.0.0
Opened: Feb 12, 2020 Severity: 3-Major
When trying to set the 'Samesite' attribute using a Local traffic policy according to https://devcentral.f5.com/s/articles/increased-security-with-first-party-cookies-30715, you are able to set the SameSite attribute for all cookies except for the AVR user session cookie.
Can't add SameSite attribute to AVR cookies.
-- Use Google Chrome browser. -- Page load time or user sessions collecting in HTTP Analytics profile is checked for the related virtual server.
None
Added an internal parameter, avr_cookie_add_attributes, that allows the BIG-IP system administrator to add a string at the end of the AVR Set-Cookie HTTP response header. Using this internal parameter, the administrator can add the SameSite=None string to opt-out from the Chrome browser modificatio, allowing the AVR cookie behave as before. This change is global and affects all AVR system cookies (page load time & user sessions).