Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

SameSite cookie must be set to None

 

Information

 

Summary:

Setting the SameSite cookie to None in order to enable cross-site usage.

Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: SharePoint

Question/Problem Description: 

In Developer Tools there is a SameSite cookie error.

Steps to Reproduce:  
Error Message:

This Set-Cookie header didn't specify a "SameSite" attribute and was defaulted to "SameSite=Lax," and was blocked because it came from a cross-site response which was not the response to a top-level navigation. The Set-Cookie had to have been set with "SameSite=None" to enable cross-site usage.

   
Enhancement Number:  
Cause:  
Resolution: 

To execute this,  navigate to Rules & Checking>Content Rules>Create New and use the following information:

Rule Type:Add Header
Header Filed to be Added:Set-Cookie
Value of Header Filed to be Added:SameSite=None; Secure

You will then need to add this rule to your service under Advanced Properties>HTTP Header Modifications. This will be applied as a response rule.

 

If the persistence method is set to Active Cookie a different content rule must be configured which will reference other cookies that the LoadMaster is adding to the client request.

To check which persistence method is being used within the virtual service navigate to the virtual service and expand the Standard Options field.

The following rule will need to be configured in replacement of the above rule:

Header Field: Set-Cookie

Match String: /(.*?);?$/

Value of Header Field to be replaced: \1; SameSite=None;

This will be applied as a response rule.

 

The match string /(.*?);?$/ matches on any character for an unlimited number of times then references the cookies using the\1 syntax within the replace header field.

 

These rules can be further adjusted if the site requires other needed attributes.

For example, if the site already set the secure cookie and httponly is needed in replacement, the following rule can be created:

Header Field: Set-Cookie

Match String: /(.*?);?$/

Value of Header Field to be replaced: \1; SameSite=None; httponly

Workaround:  
Notes: https://support.kemptechnologies.com/hc/en-us/articles/202154165-How-to-Add-an-SSL-Secure-and-HTTP-only-flag-to-cookies-from-a-Real-Server

Comments