SameSite setting for ROUTERID-cookies

Question

We seem to have some trouble with the SameSite setting missing in the ROUTERID-cookies used by the Webserver protection session stickiness. Since the introduction of Chrome 80 we see an increase of users not returning to the same real servers. This only seems to happen when the user returns to our domain via a POST-request from an external site and seems to has all to do with the defaulting to 'lax' by Chrome >80. 
 Does anybody also seen this or know how to work around this (other then hacking the httpd.conf files)?

M.D. Klapwijk · Accepted Answer

Hi Emmanuel, 
 As a temporary fix we've done the following on our UTM's: 
 sed -i.old 's/secure" env=BALANCER_ROUTE_CHANGED/secure; SameSite=None" env=BALANCER_ROUTE_CHANGED/' /var/storage/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf /var/mdw/scripts/reverseproxy restart 
 The problem manifests itself when we send users to external payment/transaction pages from which they return with an HTTP-POST request: 
 2020:08:03-16:48:10 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" time="5189" url="/payment/" server="payment.ourdomain.com" port="443" query="?transaction=12BldOAW6ahd43lfKswziZrXXXXXXXXXXXXXXXXX&lang=fr_FR" referer=" www.ourcustomer.fr/.../ cookie="-" set-cookie="PHPSESSID=st6tnfcsq9j6jqb2dpr72etsv5; path=/; domain=payment.ourdomain.com; secure; HttpOnly, ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node1; path=/; httponly; secure" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XygjqmmthQ3Q7CWYvyUDxwAAAU8" ... 2020:08:03-16:51:15 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="14" user="-" host="17.28.x.x" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="49676" url="/favicon.ico" server="payment.ourdomain.com" port="443" query="" referer=" payment.ourdomain.com/.../ cookie="PHPSESSID=st6tnfcsq9j6jqb2dpr72etsv5; ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node1; __cfduid=d4e77b66272078e2512821e98140851a01596466092; _ga=GA1.2.1809436613.1596466157; _gid=GA1.2.51278862.1596466157" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XygkYwuS44FLy5unoyxKwQAAAa0" 2020:08:03-16:51:33 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="-" statuscode="408" reason="-" extra="-" exceptions="-" time="3" url="-" server="-" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="-" 2020:08:03-16:51:53 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="POST" statuscode="302" reason="-" extra="-" exceptions="-" time="1927255" url="/payment/ext-cmplt/" server="payment.ourdomain.com" port="443" query="?type=directmerchantdeposit&mspid=38XXXXXXXXXXXX" referer=" sg-3ds.wlp-acs.com/.../paRequestFromAuthPages" cookie="-" set-cookie="PHPSESSID=3poqtt7bvktg5pjd9m94q9fpk2; path=/; domain=payment.ourdomain.com; secure; HttpOnly, ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node2; path=/; httponly; secure" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Xygkh-6d5VZZUwGx3xxAIQAAADw" 2020:08:03-16:51:53 utm-01-2 httpd: id="0299" srcip="17.28.x.x" localip="165.59.x.x" size="0" user="-" host="17.28.x.x" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" time="4141" url="/payment/ext-cmplt/" server="payment.ourdomain.com" port="443" query="?type=directmerchantdeposit&mspid=38XXXXXXXXXXXX" referer=" sg-3ds.wlp-acs.com/.../paRequestFromAuthPages" cookie="__cfduid=d4e77b66272078e2512821e98140851a01596466092; _ga=GA1.2.1809436613.1596466157; _gid=GA1.2.51278862.1596466157; PHPSESSID=3poqtt7bvktg5pjd9m94q9fpk2; ROUTEID.258030ef20bcfe4db4a6d742388e7563=.node2" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Xygkif6d5VZZUwGx3xxANAAAADw" 
 Regards, 
 
 Marcel 
 
 P.S. Do not forget that any changes in 'webserver protection' done in the GUI will revert these changes, as will an HA-switch-over!