how to resolve the “Cookie Without SameSite Attribute” on azure app gateway Affinity cookie

Satish Konda 1 Reputation point
2021-01-11T22:45:09.897+00:00

Found DAST scan error "Cookie Without SameSite Attribute" on Frond end application

Front end application build on node js and React js, deployed into azure VM and access via azure application gateway.

I can see the three cookies are added back in response object in browser.

Set-Cookie: ApplicationGatewayAffinity=fdasfdfsafdfasa; path=/; domain=xxxxx-xx.xxx.xx.uk Set-Cookie: ApplicationGatewayAffinityCORS=fdsfdafdsafdfxfdfssafs; path=/; domain=xxxx-xxxx.xxxx.co.uk; secure Set-Cookie: bm_sv=fdafdfsdfasffasdfsafsdfsafasffsadffdsfsfasfsdfsfxvxgdhgfwefw; Domain=.xxxxx.co.uk; Path=/; Max-Age=7003; HttpOnly

Error clearly showing that it will be clear by adding "Samesite" Attribute in cookie. But i am bit new to azure and not find the azure documentation to add the "Samesite" attribute. Please help on this

Sorry if i am not clearly elaborate the question. Please free to ask if you do not understand question

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
954 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,831 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 46,931 Reputation points Microsoft Employee
    2021-01-12T07:55:04.107+00:00

    Hello @Anonymous ,

    SameSite for Application gateway is explained here - Azure Application Gateway HTTP settings configuration | Microsoft Learn

    The Chromium browser v80 update brought a mandate where HTTP cookies without SameSite attribute has to be treated as SameSite=Lax. In the case of CORS (Cross-Origin Resource Sharing) requests, if the cookie has to be sent in a third-party context, it has to use SameSite=None; Secure attributes and it should be sent over HTTPS only. Otherwise, in a HTTP only scenario, the browser doesn't send the cookies in the third-party context. The goal of this update from Chrome is to enhance security and to avoid Cross-Site Request Forgery (CSRF) attacks.

    For non-CORS requests, no change is needed and the application can continue to work as it is. For more information on the Chrome update, check this announcement and for more information on the SameSite cookie attribute, check this detailed documentation. Please note that this change will affect not only Google Chrome users, but any browser that uses the Chromium engine, check this document for a list of all the browsers that use Chromium.

    How does it impact Azure Application Gateway users?

    Azure Application Gateway uses gateway managed cookies for maintaining user sessions. When a user sends the first request to Application Gateway, it sets an affinity cookie in the response with a hash value which contains the session details, so that the subsequent requests carrying the affinity cookie will be routed to the same backend server for maintaining stickiness. If session affinity is being used for cross domain or CORS scenarios, for example, the user accesses websiteA.com (first-party) and it has an iFrame with domain websiteB.com (third-party), the browser won’t send the affinity cookie to websiteB.com.
    Please note that this only impact users who have Cookie Based Affinity enabled in Application Gateway. If you don’t have affinity enabled, you can ignore this. On a side note, this will also affect your application if it relies on cross-domain cookie sharing.

    Recommendations:

    Scenario #1: Application running on HTTPS and Cookie Based Affinity is enabled with CORS scenario
    In this case, Application Gateway will be injecting another identical cookie called “ApplicationGatewayAffinityCORS” in addition to the existing ApplicationGatewayAffinity cookie, which is similar, but this cookie will now have two more attributes “SameSite=None; Secure” added to it so that sticky session can be maintained even for cross-origin requests. No change is needed from your side, instead of a single affinity cookie, the clients will see two cookies.
    Please note that the default affinity cookie name is ApplicationGatewayAffinity and this can be changed by the users. In case you are using a custom affinity cookie name, an additional cookie will be added with CORS as suffix, for example, “CustomCookieNameCORS”.

    Scenario #2: Application running on HTTP and Cookie Based Affinity is enabled with CORS scenario
    It is mandatory that if the attribute SameSite=None is set, the cookie also should contain the Secure flag and should be sent over HTTPS. Hence, if session affinity is required over CORS, you would need to migrate your workload to HTTPS. Please refer to SSL offload and End-to-End SSL documentation for Application Gateway here – Overview, How-to configure SSL offload, How-to configure End-to-End SSL.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.