Require to update cookie based session affinity application gateway in secure
Please add Secure http for application gateway cookie based session affinity in azure. The websites are showing not secure for "ApplicationGatewayAffinity".
When the option "HTTPS Only" is enabled under "TLS/SSL settings" the cookie should definitely be sent as secure. At this point it's a bug rather than a suggestion or a must have.
Ted T commented
Looks like this is becoming a "must have" feature rather than a suggestion... Can this be done before Chrome update in 2020? Dont want to change system architecture just because application gateway is missing these options...
Lawrence Yao commented
Currently, the application gateway's affinity cookie does not include the "Secure" and "SameSite" attributes. However, the Chrome browser is bringing about new behaviour as discussed here: https://www.chromestatus.com/feature/5088147346030592
The Chrome browser will soon (Feb 2020) interpret a cookie without the SameSite attribute as SameSite=Lax. This means when the access URL above is embedded in an iframe (whose parent is from a different domain), Chrome will block the affinity cookie because it is being interpreted as SameSite=Lax, which may result in a loss of the affinity functionality.
Chrome will also block SameSite=None cookies that are not Secure.
So we propose the ability to set the application gateway affinity cookie to "Secure; SameSite=None" to prevent loss of functionality when Chrome v80 goes live.