Skip to content

Commit b7434e4

Browse files
surajmbvhorne
surajmb
and
vhorne
authored
Update articles/application-gateway/configuration-overview.md
Co-Authored-By: Vic <[email protected]>
1 parent c9a86ce commit b7434e4

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

articles/application-gateway/configuration-overview.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -254,7 +254,7 @@ This feature is useful when you want to keep a user session on the same server a
254254

255255
The [Chromium browser](https://www.chromium.org/Home) [v80 update](https://chromiumdash.appspot.com/schedule) brought a mandate where HTTP cookies without [SameSite](https://tools.ietf.org/id/draft-ietf-httpbis-rfc6265bis-03.html#rfc.section.5.3.7) attribute has to be treated as SameSite=Lax. In the case of CORS (Cross-Origin Resource Sharing) requests, if the cookie has to be sent in a third-party context, it has to use *SameSite=None; Secure* attributes and it should be sent over HTTPS only. Otherwise, in a HTTP only scenario, the browser doesn't send the cookies in the third-party context. The goal of this update from Chrome is to enhance security and to avoid Cross-Site Request Forgery (CSRF) attacks.
256256

257-
To support this change, starting February 17th 2020, Application Gateway (all the SKU types) would be injecting another cookie called **ApplicationGatewayAffinityCORS** in addition to the existing **ApplicationGatewayAffinity** cookie, which is similar, but this cookie will now have two more attributes **"SameSite=None; Secure"** added to it so that sticky session can be maintained even for cross-origin requests.
257+
To support this change, starting February 17th 2020, Application Gateway (all the SKU types) will inject another cookie called *ApplicationGatewayAffinityCORS* in addition to the existing *ApplicationGatewayAffinity* cookie. The *ApplicationGatewayAffinityCORS* cookie has two more attributes added to it (*"SameSite=None; Secure"*) so that sticky session are maintained even for cross-origin requests.
258258

259259
Please note that the default affinity cookie name is *ApplicationGatewayAffinity* and this can be changed by the users. In case you are using a custom affinity cookie name, an additional cookie will be added with CORS as suffix, for example, *CustomCookieNameCORS*.
260260

0 commit comments

Comments
 (0)