Solving F5 persistence cookie missing in each http request from cross origin request -samesite

Description:

    Learn how to address cookie persistence challenges when using F5 load balancer for cross origin request where the F5 persistence cookie is missing in consecutive requests which breaks the F5 persistence behavior. This blog post provides a detailed solution for a common issue where the SameSite attribute prevents cookies from being sent for consecutive requests. Discover how to overcome this hurdle and ensure seamless communication between your load-balanced application and cross origin requests.

The Challenge: SameSite Attribute and cross origin requests

One common challenge faced by developers is the SameSite attribute in cookies, which plays a crucial role in web security. The SameSite attribute can restrict how cookies are sent with cross-site requests, and when single signon or  iframes are involved, this can lead to unexpected behavior breaking the persistence feature and load balancing.

By default the Cookie inserted by F5 Cookie persistence profile will not include the SameSite attribute and browsers treat it like LAX attribute ,lets see what is samesite attribute in brief

Cookie SameSite Attribute:

The SameSite attribute in cookies is used to control how cookies are sent with cross-origin requests. There are three possible values for the SameSite attribute: Lax, Strict, and None. Here's an explanation of each:

Cookies with SameSite=Lax are restricted in sending cookies in cross-site requests initiated by third-party websites.

They are allowed to be sent along with top-level navigations (e.g., clicking on a link), but not for cross-origin POST requests initiated by third-party websites.

Cookies with SameSite=Strict are not sent with any cross-site requests, regardless of whether they are top-level navigations or initiated by third-party websites.

This provides a higher level of security but may affect the user experience, as the cookie is not sent in any cross-site context.

Cookies with SameSite=None can be sent with both first-party and third-party requests.

When using SameSite=None, it is crucial to also include the Secure attribute, which means the cookie will only be sent over HTTPS connections.

This option is often used when dealing with cross-origin scenarios, such as iframes or third-party integrations like cross origin requests payment gateway requests.

Identifying the Issue:

If you've noticed that your F5 load-balanced application, accessed through an iframe or cross origin request , is not sending the f5 persistence cookie for consecutive requests or sending different F5 cookie for each requests, you can check this using browsers Developer tool or http watch , the SameSite attribute may be the culprit.

Solution: F5 iRule insert SameSite cookie attribute

To address this issue, we can leverage F5 iRules to manipulate the SameSite attribute for cookies. 

Before writing the irule and attaching to the virutal server ,make sure the Cookie persistence profile attached to the VIP have the option secure attribute enabled.

Below is the irule for Default F5 cookie persistence where the cookie name contains BIGip