Bug ID 880157: Unable to set SameSite attribute for AVR session cookie

Last Modified: Aug 05, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP AVR(all modules)

Known Affected Versions:
15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Fixed In:
16.0.0

Opened: Feb 12, 2020
Severity: 3-Major

Symptoms

When trying to set the 'Samesite' attribute using a Local traffic policy according to https://devcentral.f5.com/s/articles/increased-security-with-first-party-cookies-30715, you are able to set the SameSite attribute for all cookies except for the AVR user session cookie.

Impact

Can't add SameSite attribute to AVR cookies.

Conditions

-- Use Google Chrome browser. -- Page load time or user sessions collecting in HTTP Analytics profile is checked for the related virtual server.

Workaround

None

Fix Information

Added an internal parameter, avr_cookie_add_attributes, that allows the BIG-IP system administrator to add a string at the end of the AVR Set-Cookie HTTP response header. Using this internal parameter, the administrator can add the SameSite=None string to opt-out from the Chrome browser modificatio, allowing the AVR cookie behave as before. This change is global and affects all AVR system cookies (page load time & user sessions).

Behavior Change