We seem to have some trouble with the SameSite setting missing in the ROUTERID-cookies used by the Webserver protection session stickiness. Since the introduction of Chrome 80 we see an increase of users not returning to the same real servers. This only seems to happen when the user returns to our domain via a POST-request from an external site and seems to has all to do with the defaulting to 'lax' by Chrome >80.
Does anybody also seen this or know how to work around this (other then hacking the httpd.conf files)?
Hello M.D
Thank you for contacting the Sophos Community.
I asked a senior Support Engineer, but they requested if you have any example so we can ask DEV about this, it might just be an issue with Chrome 80.
Do you have any log that you can share?
Regards,
Hello Emmosophos,
We are having the same issue. Apparently Chrome changed something a few weeks ago. You can read about that change here.
https://www.chromestatus.com/feature/5088147346030592
I guess we need to be able to change that SameSite attribute of the cookie the UTM sends for the routeid.
I hope you can help.
Hello Martijn,
Thank you for contacting the Sophos Community and the Link.
If you haven't done the work around provided above your post, please do it for now, also if possible please send us the config file before and after the change.
And also do you have multiple real servers for the virtual server or is it just one and one?
Thank you for the reply.
I will do the workaround later today.
We have one virtual server, pointing to 3 real servers.