24 lines
1.4 KiB
Text
24 lines
1.4 KiB
Text
[[_saml-tomcat-adapter-samesite-setting]]
|
|
===== Setting SameSite value for JSESSIONID cookie
|
|
|
|
Browsers are planning to set the default value for the `SameSite` attribute for cookies to `Lax`. This setting means
|
|
that cookies will be sent to applications only if the request originates in the same domain. This behavior can affect
|
|
the SAML POST binding which may become non-functional. To preserve full functionality of the SAML adapter, we recommend
|
|
setting the `SameSite` value to `None` for the `JSESSIONID` cookie created by your container. Not doing so may result in
|
|
resetting the container's session with each request to {project_name}.
|
|
|
|
NOTE: To avoid setting the `SameSite` attribute to `None`, consider switching to the REDIRECT binding
|
|
if it is acceptable, or to OIDC protocol where this workaround is not necessary.
|
|
|
|
To set the `SameSite` value to `None` for `JSESSIONID` cookie in Tomcat add following configuration to the`context.xml`
|
|
of your application. Note, this will set the `SameSite` value to `None` for all cookies created by Tomcat container.
|
|
|
|
[source,xml]
|
|
----
|
|
<CookieProcessor sameSiteCookies="None" />
|
|
----
|
|
|
|
WARNING: It is not possible to set the `SameSite` attribute only to a subset of cookies, therefore all cookies created
|
|
for your application will have this attribute set to `None`.
|
|
|
|
The support for this feature is available in Tomcat from versions 9.0.29 and 8.5.49.
|