action.skip

Setting the SameSite Attribute

To help prevent cross-site request forgery attacks, the default SameSite attribute on the session server cookie has been updated from None (less restrictive) to Lax (more restrictive).

With the attribute set to Lax, the session server cookie will not be sent on cross-site requests as is often the case with the JavaScript SDK and in SAML authentication.

This change affects two areas of HACloud:

  • The JavaScript SDK and
  • SAML authentication behind a load balancer

In these cases you'll need to adjust the attribute value to None.

  1. Open the Administrative Console, and launch Cluster Management.

    cluster managment drop down

  2. Click Services and locate the hacloud-session-server service.

  3. Open the Edit Properties option from the ellipsis menu.

  4. Add a new property:

    • Name - samesite.cookie.attribute
    • Value - none

  5. Click OK.

  6. From the same ellipsis menu associated with the hacloud-session-server service, choose Redeploy All. Click Yes when prompted. Wait for the session servers to redeploy.

Setting the SameSite attribute for a multi-node cluster

Additional configuration is needed when using the JavaScript SDK with a multi-node (multiple session servers) cluster. The SameSite attribute must also be configured for the session server load balancer cookie.

  1. Follow step 1 above.

  2. Click Advanced from the left pane.

  3. Enable the Kubernetes Dashboard. This may take several seconds.

  4. Copy the Authentication Token using the copy icon copy.

  5. Launch the Kubernetes Dashboard using the Kubernetes Dashboard URL.

  6. Paste the Authentication Token you copied to the clipboard, and click Sign In.

  7. Under Service in the left pane, click Services.

  8. Locate (you may need to scroll) and open the hacloud-session-server-lb service.

  9. On the hacloud-session-server-lb service page, click edit to edit the service.

  10. In the Edit Resource dialog box, locate the annotations section near the top of the file. Change the samesite annotation, traefik.ingress.kubernetes.io/service.sticky.cookie.samesite: none, from lax to none.

    kubernetes annotations

  11. Click Update. On the hacloud-session-server-lb service page, verify that the traefik.ingress.kubernetes.io/service.sticky.cookie.samesite annotation shows the new value.

  12. Sign out and close the Kubernetes Dashboard and the Administrative Console.