HAProxy community

Set "SameSite=None" for haproxie's cookie

Chrome (and probably other browsers) change their default behavior of cookies for cross site requests. The implication is that I need to add “samesite=none; secure;” to HAproxie’s cookie.
Is this possible?

There is a recent blogpost about this change.

Are you talking about cookies set by the backend application? Or are you talking about cookies set by haproxy for stickiness?

the one set by haproxy for stickiness.

No, that is not the case. Even if the new default becomes SameSite=Lax this does not impact stickiness cookies, because stickiness cookies are “first-party” cookies.

Also, the secure flag requires HTTPS, and we can certainly not require HTTPS for everything.

I think you are misinterpreting how samesite works.

Well, I’m certainly not an expert, but the case I have here at hand is embedding in an iframe. Piecing together from web.dev: SameSite cookie recipes

Any cookies used by that site will be considered as third-party cookies when the site is displayed within the frame.

and

For cookies needed in a third-party context, you will need to ensure they are marked as SameSite=None; Secure .

Configuring my Chrome browser to impose the new rules, I can’t see HAproxie’s cookie any more for that specific use case.

I do not intent to require changing the default setting of this cookie – I’m just wondering about a way to configure it. Regarding HTTP/HTTPS, I am aware about a secure setting for the haproxy cookie and I assume this is exactly for that. I am asking if there is a similar way to set “SameSite”, e.g. samesite : strict|lax|none.

Then iFrames in HTTP (non HTTPS) requiring cookies will never work in those new browser. Only with HTTPS and the samesite setting those iframes can work.

Currently, haproxy does not support configuring individual additional settings like samesite. I suggest you file a feature request on github for this: