You might already know that Chrome had been gradually rolling out default security changes for third-party cookies as part of the new version 80 release. Due to COVID-19, this enforcement is now temporarily being rolled back.

What are these security changes?

When this enforcement is rolled out, by default any cookie with an unmarked SameSite attribute will be treated as if it is marked “Lax.” The SameSite attribute is used to tell the browser whether the cookie can be sent in first- or third-party contexts.

For example, when you access a website by entering the URL in the address bar, you’re accessing first-party content. However, there might be content within those webpages — iframes, for instance — that come from a different website. This is considered third-party content.

A SameSite attribute that is marked as “Lax” restricts the cookie to first-party only. On Citrix ADC, the SameSite attribute in cookies that are used for persistence is not present by default.

Such cookies will be marked as “Lax” in Chrome 80 and can only be used in first-party contexts. This could potentially break cookie-based persistence if, for example, an iframe in a web page coming from a non-ADC hosted site points to a site that is behind an ADC and is using cookie persistence.

This change enhances security, but it requires customers and partners to test Citrix ADC deployments that rely on cookies.

How Do You Test Websites Front-Ended on Citrix ADC?

You can enable these SameSite flags in your current version of Chrome for testing. In the address bar, enter chrome://flags and search for samesite. Enable both SameSite default cookies and Cookies without SameSite must be secure and relaunch the browser.

Navigate to the site you want to test. Open the Developer Tools and go to the Console tab. Here, you’ll see if and why any cookie has been blocked.

Switch to the Network tab to review the cross-site requests. The Cookies tab will present the values for each cookie attribute, including SameSite and Secure. The tool tip provides information on why that cookie was blocked.

My Citrix ADC hosted sites are impacted by Chrome 80… What can I do?

Configuration-level options to accommodate this change are now available in Citrix ADC versions 13.0 52.24, 12.1 55.24, 12.0 63.21 and 11.1 64.11. For Load Balancing, GSLB, and Content Switching cookies, there are new configurable attributes that can be set either globally or at a vServer level using profiles. Read more about these cookie attributes here.

For AAA and Gateway vServers, there is a new SameSite menu as part of the Basic Settings. Read more about AAA cookie attributes here and Gateway here.

 

In addition, we have released CTX269469, which includes workarounds for any affected Citrix ADC appliances not running the updated firmware. We’ve also provided a workaround for any back-end application cookies that are impacted.