I had security vulnerability popped up for one of the websites. vulnerability is Insecure Cookie Configuration - SameSite Flag. After trying and analysing solutions i saw that only ARRAffinity is having Samesite attribute not set. I found the following solution for setting ARRAffinity cookie's SameSite attribute in web.config file
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Add SameSite Cookie Flag to ArrAffinity cookie" enabled="true">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
<conditions>
<add input="{R:0}" pattern="ARRAffinity=(.*)" ignoreCase="true" negate="true" />
<add input="{HTTP_USER_AGENT}" pattern="Macintosh; Intel Mac OS X
10_14.+Version/.*Safari" ignoreCase="true" negate="true" />
<add input="{HTTP_USER_AGENT}" pattern="CPU iPhone OS 12" ignoreCase="true"
negate="true" />
<add input="{HTTP_USER_AGENT}" pattern="iPad; CPU OS 12" ignoreCase="true"
negate="true" />
</conditions>
<action type="Rewrite" value="{HTTP_COOKIE};Path=/;HttpOnly;SameSite=None;secure" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
But after this website is showing two ARRAffinity Cookies one with SameSite=None other with SameSite still empty.Users are also having Sign-in issues because of this. How can i fix this? If not ,then is there any other way i can set-up SameSite attribute for ARRAffinity?
