Hi.
On 02.04.20 09:36, Matthias Zepf wrote:
Hi,
for a client we develop a web shop application that handles payment by
redirecting the user to a page of a payment service provider. After successful
(or failed) payment the user is redirected back to our application with a post
request. With Chrome 80 this began to be a problem because on cross-domain post
requests the cookies are no longer transmitted. This can be fixed by setting
SameSite=None on the cookies, what we did (also for the haproxy persistent
session cookie) and it works fine.
But there is a new problem: old browsers, especially Safari on macOS < 10.15 and
iOS < 13. These browsers do not know of the value “None” for parameter “SameSite”
and treat unknown values as “Strict”. So, no cookies for these browsers on the
cross-domain post request.
For the web application we fixed this by adding 2 cookies, one with
SameSite=None and another (“legacy” cookie) without SameSite parameter.
Any ideas on how to handle this problem for haproxy?
Just an idea.
You can try to use 2 backends as the cookie statement can be set per backend.
use_backend leagcy_clients if { req.hdr(user-agent) -m sub ios } # or what ever
the UA string is
use_backend new_clients if !{ req.hdr(user-agent) -m sub ios } # or what ever
the UA string is
Examples are from here
https://www.haproxy.com/blog/introduction-to-haproxy-acls/
This will be be changed when the UA is gone which is the plan from google.
https://www.zdnet.com/article/google-to-phase-out-user-agent-strings-in-chrome/
https://wicg.github.io/ua-client-hints/
Thanks
Matthias
Regards
Aleks
