-
Notifications
You must be signed in to change notification settings - Fork 783
-
Notifications
You must be signed in to change notification settings - Fork 783
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SameSite parameter for the persistence cookie #361
Comments
Let's also discuss: Should we implement a I'd personally opt for the latter, which makes this more flexible. |
Well, if you ask me, a generic option with more flexibility sounds great. |
That's exactly the same question that came to my mind reading this and I
came to the same conclusion. However we probably need to think in terms
of multiple attributes, or we risk to face the issue again once someone
needs "samesite" and something else.
|
Hello everyone. For the more general background, version 80 of Chrome is scheduled to be rolled out on February 6. This will mean a lot of users will suddenly start different connections for requests to the same HA instance. |
Hello, any update planned for this point? Sticky cookies will not be sent anymore for sites embedded in iframe or in other browser tab if they are not on same domain. This will be blocking for many usecases. |
I submitted a patch on the mailing list to solve this issue. Idea is to add an
Of course, the |
… directive It is now possible to insert any attribute when a cookie is inserted by HAProxy. Any value may be set, no check is performed except the syntax validity (CTRL chars and ';' are forbidden). For instance, it may be used to add the SameSite attribute: cookie SRV insert attr "SameSite=Strict" The attr option may be repeated to add several attributes. This patch should fix the issue #361.
I backported the feature as far as 1.8. |
@capflam thanks for the commit! I've got a noob question, when you say you backported it to 1.8, that means I can modify the build before compiling haproxy on 1.8 and it should work? Or does that mean that the actual src download from http://www.haproxy.org/ for 1.8 will include the fix, because it doesn't seem like the changes are in the 1.8 src there. |
It means that the code in the Git repository already has the commit, and
that next 1.8 release will have it.
|
… directive It is now possible to insert any attribute when a cookie is inserted by HAProxy. Any value may be set, no check is performed except the syntax validity (CTRL chars and ';' are forbidden). For instance, it may be used to add the SameSite attribute: cookie SRV insert attr "SameSite=Strict" The attr option may be repeated to add several attributes. This patch should fix the issue haproxy#361. (cherry picked from commit 2f53390) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit fac5082) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit db2cdbb) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit d76877d) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
… directive It is now possible to insert any attribute when a cookie is inserted by HAProxy. Any value may be set, no check is performed except the syntax validity (CTRL chars and ';' are forbidden). For instance, it may be used to add the SameSite attribute: cookie SRV insert attr "SameSite=Strict" The attr option may be repeated to add several attributes. This patch should fix the issue haproxy#361. (cherry picked from commit 2f53390) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit fac5082) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
… directive It is now possible to insert any attribute when a cookie is inserted by HAProxy. Any value may be set, no check is performed except the syntax validity (CTRL chars and ';' are forbidden). For instance, it may be used to add the SameSite attribute: cookie SRV insert attr "SameSite=Strict" The attr option may be repeated to add several attributes. This patch should fix the issue haproxy#361. (cherry picked from commit 2f53390) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit fac5082) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit db2cdbb) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
… directive It is now possible to insert any attribute when a cookie is inserted by HAProxy. Any value may be set, no check is performed except the syntax validity (CTRL chars and ';' are forbidden). For instance, it may be used to add the SameSite attribute: cookie SRV insert attr "SameSite=Strict" The attr option may be repeated to add several attributes. This patch should fix the issue haproxy#361. (cherry picked from commit 2f53390) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Here's a workaround if you can't upgrade: add a new frontend and backend in front of your listener that uses
This worked like a charm for me. |
… directive It is now possible to insert any attribute when a cookie is inserted by HAProxy. Any value may be set, no check is performed except the syntax validity (CTRL chars and ';' are forbidden). For instance, it may be used to add the SameSite attribute: cookie SRV insert attr "SameSite=Strict" The attr option may be repeated to add several attributes. This patch should fix the issue haproxy#361. (cherry picked from commit 2f53390) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit fac5082) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit db2cdbb) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit d76877d) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit 1df4039) [wt: adjusted context] Signed-off-by: Willy Tarreau <w@1wt.eu> (cherry picked from commit 7f31d8c) Signed-off-by: Willy Tarreau <w@1wt.eu>
… directive It is now possible to insert any attribute when a cookie is inserted by HAProxy. Any value may be set, no check is performed except the syntax validity (CTRL chars and ';' are forbidden). For instance, it may be used to add the SameSite attribute: cookie SRV insert attr "SameSite=Strict" The attr option may be repeated to add several attributes. This patch should fix the issue haproxy#361. (cherry picked from commit 2f53390) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit fac5082) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit db2cdbb) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit d76877d) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit 1df4039) [wt: adjusted context] Signed-off-by: Willy Tarreau <w@1wt.eu>
quick question for you @dmazurek , why a new front and back is needed, from my understanding, replace-header could have been on existing backend. no ? |
Same question for me as @mathieu-veron above. Why can't we use the existing backend; |
@mathieu-veron @panosziogas no, you cannot use the existing backend, because |
We running still haproxy 1.8.23 and are not able to use Is it also possible meanwhile to use in the backend: rspirep ^(set-cookie:.*) \1;\ SameSite=None\ Secure and is it syntax correct?? |
For the backend I used the following syntax rspirep ^(set-cookie:.*) \1;\ SameSite=None;Secure and this works fine to me. In the meantime we need to upgrade to vs 1.8.24. So we can use the cookie option |
Chrome DevTools shows the following is working when inserting a new cookie. |
Hi. Can add attr and domain? |
Output of
haproxy -vv
anduname -a
What should haproxy do differently? Which functionality do you think we should add?
There is a "cookie" within HAproxy, which makes connections stick to specific services.
This cookie doesn't support setting the
samesite
paramter, with values likelax|strict|none
.What are you trying to do?
My use case is a service, which is embedded into an IFrame by others.
This means, any cookies by that service count as "third party cookies".
Discourse discussion: https://discourse.haproxy.org/t/set-samesite-none-for-haproxies-cookie/4483/5
The more general background is an upcoming change in Chrome and other browsers.
They're going to handle such cookies differently.
https://web.dev/samesite-cookie-recipes/
and
The text was updated successfully, but these errors were encountered: