Last Modified: Oct 06, 2020
See more info
Known Affected Versions:
15.0.0, 15.0.1, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206
Opened: Feb 12, 2020
When trying to set the 'Samesite' attribute using a Local traffic policy according to https://devcentral.f5.com/s/articles/increased-security-with-first-party-cookies-30715, you are able to set the SameSite attribute for all cookies except for the AVR user session cookie.
Can't add SameSite attribute to AVR cookies.
-- Use Google Chrome browser. -- Page load time or user sessions collecting in HTTP Analytics profile is checked for the related virtual server.
Added an internal parameter, avr_cookie_add_attributes, that allows the BIG-IP system administrator to add a string at the end of the AVR Set-Cookie HTTP response header. Using this internal parameter, the administrator can add the SameSite=None string to opt-out from the Chrome browser modificatio, allowing the AVR cookie behave as before. This change is global and affects all AVR system cookies (page load time & user sessions).