SameSite cookie attribute
How To articles are not official guidelines or officially
supporteddocumentation. They are community-contributed content and may
not alwaysreflect the latest updates to Liferay DXP. We welcome your
feedback toimprove How to articles!
While we make every effort to ensure this Knowledge Base is accurate,
itmay not always reflect the most recent updates or official
guidelines.We appreciate your understanding and encourage you to reach
out with anyfeedback or concerns.
Legacy Article
You are viewing an article from our legacy
"FastTrack"publication program, made available for
informational purposes. Articlesin this program were published without a
requirement for independentediting or verification and are provided
"as is" withoutguarantee.
Before using any information from this article, independently verify
itssuitability for your situation and project.
Issue
- Users want to add a Strict attribute instead of None for sameSite to set the 'JSESSIONID' cookie
Resolution
- The application server or web server controls JSessionID cookies. Therefore, in the case of bundled tomcat, the tomcat app server will need to be set up accordingly.
- The following are steps that can be taken at the Tomcat level to achieve the desired results:
- In Tomcat < 9.0.28 (or < 8.5.48 for the 8.5x branch), the same-site attribute is not set if the value is NONE. This causes some issues with the session cookie in Chrome > 80. As a result, the above steps will not work if the Tomcat version is less than 9.0.28.
- Liferay is already working to have some option to set SameSite attribute to either Lax or Strict for all these cookies and everything would be set by LR engine itself. This can be tracked here: LPS-133584
Did this article resolve your issue ?
