Issue
- How can I adjust the JSESSIONID cookie's SameSite attribute from None to Strict?
Environment
- Liferay DXP 7.1 - 7.4
Resolution
The JSessionID cookie's attributes are set by your application server or web server. When using a Liferay environment with a bundled Tomcat application server, you can use the following steps to achieve this result:
- Stop the application server
- Navigate to
tomcat/conf/context.xml - Update the
CookieProcessorelement to set sameSiteCookies in the HTTP response header:<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="strict" />
- Clear all temp folders:
- [Liferay_Home]/osgi/state
- [Liferay_Home]/work
- [Liferay_Home]/[Tomcat_Home]/work
- [Liferay_Home]/[Tomcat_Home]/temp
- Restart the server
After doing so, the SameSite attribute in stored cookies will include "strict."
Prior to Tomcat versions 9.0.28 (or 8.5.48 for the 8.5x branch), the SameSite attribute will not be set if the value is NONE. As this causes issues with the session cookie in Chrome version 80+, upgrade your Tomcat version to 9.0.28+ when using the above steps. See Impact of Google Chrome 80 and changes in the default behavior of the SameSite cookie setting on SAML for more information.