I have installed Tomcat 8.5.43 as a server under Eclipse 2019-06 (4.12.0).
I've encountered a problem with Chrome Canary Version 78.0.3886.0 which
installed today, August 17th, 2019.

When beginning the session with my server, Chrome will not honor the
JSESSIONID cookie. In the Chrome console is the warning:

"[Deprecation] A cookie associated with a cross-site resource at
http://localhost/ was set without the `SameSite` attribute. A future
release of Chrome will only deliver cookies with cross-site requests if
they are set with `SameSite=None`. You can review cookies in developer
tools under Application>Storage>Cookies and see more details at

Chrome 76 (the stable release) works fine, and Canary works if I disable
the "SameSite by default cookies"
However the link in the deprecation warning notes that this feature will be
enabled by default in Chrome 80.

I've read the CookieProcessor docs (
which leads me to believe that sameSiteCookies is set to none by default.
However I don't see that in Chrome's DevTools, nor in the JSESSIONID I
receive when testing my server app with Insomnia v6.6.2. I have tried
setting the CookieProcessor explicitly by adding

<CookieProcessor sameSiteCookies="none"></CookieProcessor>

to conf/context.xml but to no effect.

BTW, I'm using https://github.com/eBay/cors-filter for my CORS filters. I
don't think my apps will be run in something other than Tomcat's, but can't
say that for certain (certainly my boss and customer support manager want
me to stay as generic as possible).

Am I missing something? How can I fix this issue?

"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 111-13)

Reply via email to