I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06 (4.12.0). I've encountered a problem with Chrome Canary Version 78.0.3886.0 which installed today, August 17th, 2019.
When beginning the session with my server, Chrome will not honor the JSESSIONID cookie. In the Chrome console is the warning: "[Deprecation] A cookie associated with a cross-site resource at http://localhost/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592." Chrome 76 (the stable release) works fine, and Canary works if I disable the "SameSite by default cookies" (chrome://flags/#same-site-by-default-cookies). However the link in the deprecation warning notes that this feature will be enabled by default in Chrome 80. I've read the CookieProcessor docs ( https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html) which leads me to believe that sameSiteCookies is set to none by default. However I don't see that in Chrome's DevTools, nor in the JSESSIONID I receive when testing my server app with Insomnia v6.6.2. I have tried setting the CookieProcessor explicitly by adding <CookieProcessor sameSiteCookies="none"></CookieProcessor> to conf/context.xml but to no effect. BTW, I'm using https://github.com/eBay/cors-filter for my CORS filters. I don't think my apps will be run in something other than Tomcat's, but can't say that for certain (certainly my boss and customer support manager want me to stay as generic as possible). Am I missing something? How can I fix this issue? -- "Hell hath no limits, nor is circumscrib'd In one self-place; but where we are is hell, And where hell is, there must we ever be" --Christopher Marlowe, *Doctor Faustus* (v. 111-13)