AWS LB sticky session and SameSite

Question

Based on https://www.chromium.org/updates/same-site, looks like cookies will handle different if there is no SameSite attribute specified, so when the sticky session cookie is created it should contains SameSite=None. Do you know how this will handle by AWS LB when sticky session is enabled? will it be handled automatically or shall we place some special configuration?

On the other hand, this attribute does not work with all browsers, so I am wondering if this will be considered as well.

thanks in advance!

Answer 1

AWS has posted an update at https://forums.aws.amazon.com/ann.jspa?annID=7413. Some cases will work automatically and others will require changes.

Use Case #1: Customers with CORS use cases using duration based cookie stickiness on CLB and ALB and/or weighted target groups feature with stickiness enabled on ALB: While these CORS use cases are affected by the Chromium update, customers using Elastic Load Balancers (ELB) are not required to perform any action. The AWSELB (CLB), AWSALB (ALB), and AWSALBTG (ALB Weighted Target Groups) are given to clients with the response for each request where stickiness is enabled and contain an encrypted payload that includes the details of the session and backend targets, which the client's session is associated with. For continued stickiness support with CORS use cases after the Chromium update, we are creating additional stickiness cookies for each of these duration-based stickiness features named AWSELBCORS (CLB), AWSALBCORS (ALB), and AWSALBTGCORS (ALB weighted target group) respectively. With the exception of the cookie attributes 'SameSite=None; Secure', these cookies will be identical to the original ELB generated stickiness cookies. The software updates including this change will be deployed to all CLBs and ALBs by February 4th, 2020. You can confirm the change is working on your stickiness-enabled load balancer by making HTTPS requests to it and confirming you receive the new cookie in addition to the original cookie.

Use Case #2: Customers with CORS use cases using HTTPS with application cookie stickiness on CLB : CLBs using application cookie stickiness copy the attributes of the cookie you configure in the backend. This currently supports the 'secure' attribute, and we are deploying a change to also support the 'SameSite' attribute. Software updates for this change are in progress and will be complete by Jan 26, 2020. To ensure that stickiness continues to work with your CORS use case after the Chromium update, you will need to update the application cookie in your backend target that you previously created to include 'SameSite=None; Secure' after Jan 26, 2020.

Use Case #3: Customers with CORS use cases using non-HTTPS with application cookie stickiness on CLB: If you are not using HTTPS on your stickiness-enabled CLB for your CORS use case, you will need to migrate that workload to HTTPS or a non-CORS configuration. This work may be in addition to any work you have to do for use case #2.