Single Sign On data connections in previous release didn't include either a "SameSite" or "Secure" parameter in the Set-Cookie header. With this release, the "Secure" parameter is now always sent and, by default, the "SameSite" parameter is not added. These options can be set globally or per-Virtual Service:

  • The global setting on the System Configuration > Miscellaneous Options > L7 Configuration page can be set to the following values:
    • SameSite Option Not Added (the default value, compatible with previous releases)
    • None
    • Lax
    • Strict
  • The Virtual Service setting appears under ESP Options when ESP is enabled and Client Authentication Mode is set to Forms Based. The default value at this level is the System Default setting, which means it's the same as the global setting. The other values shown above can also be set at the VS level.