Versions of Safari on MacOS 10.14 and all browsers on iOS 12 are affected by this bug which means that SameSite=None is erroneously treated as SameSite=Strict, e.g. the most restrictive setting. I’ve published some guidance in SameSite cookie recipes on either: Using two sets of cookies to account for browsers that support SameSite=None; Secure and … Read more
UPDATE on 06/07/2021 – Added correct Path attribute with new sameSite attributes to avoid session cookie duplication with GenericFilterBean approach. I was able to come up with my own solution for this. I have two kinds of applications which run on Spring boot which has different Spring security configurations and they needed different solutions to … Read more
New Tomcat version support SameSite cookies via TomcatContextCustomizer. So you should only customize tomcat CookieProcessor, e.g. for Spring Boot: @Configuration public class MvcConfiguration implements WebMvcConfigurer { @Bean public TomcatContextCustomizer sameSiteCookiesConfig() { return context -> { final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor(); cookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue()); context.setCookieProcessor(cookieProcessor); }; } } For SameSiteCookies.NONE be aware, that cookies are also Secure … Read more
Add these options to web.config for sameSite=None , Lax or Strict <system.web> <httpCookies sameSite=”None”/> <sessionState cookieSameSite=”None” /> <authentication mode=”Forms”> <forms cookieSameSite=”None” /> </authentication>
This console warning is not an error or an actual problem — Chrome is just spreading the word about this new standard to increase developer adoption. It has nothing to do with your code. It is something their web servers will have to support. Release date for a fix is February 4, 2020 per: https://www.chromium.org/updates/same-site … Read more