Just to confirm, we know that Chrome will block JSESSIONID it if sent over
unsecure connection and with SameSite=None. But we saw the
previously mentioned issue in Firefox.
Thanks,
On Wed, 11 Mar 2020 at 15:33, M. Manna wrote:
> Hi All,
>
> Due to the recent issues with Chrome 80, we have had to make some changes
> for our context.xml to have SameSite attribute setup for CookieProcessor
>
> What we've noticed is that even though CookieProcessorBase captures and
> assigns the correct value (e.g. "None" or "Lax"), the Network tab of
> browsers (e.g. Firefox, Chrome) always shows SameSite as "Unset". But if
> you observe the response header, it's actually setting the correct value.
>
> The question is - Would this be expected? Or, do we have to fix something
> here for browsers?
>
> Regards,
> M. MAnna
>
