Just to confirm, we know that Chrome will block JSESSIONID it if sent over unsecure connection and with SameSite=None. But we saw the previously mentioned issue in Firefox.
Thanks, On Wed, 11 Mar 2020 at 15:33, M. Manna <manme...@gmail.com> wrote: > Hi All, > > Due to the recent issues with Chrome 80, we have had to make some changes > for our context.xml to have SameSite attribute setup for CookieProcessor > > What we've noticed is that even though CookieProcessorBase captures and > assigns the correct value (e.g. "None" or "Lax"), the Network tab of > browsers (e.g. Firefox, Chrome) always shows SameSite as "Unset". But if > you observe the response header, it's actually setting the correct value. > > The question is - Would this be expected? Or, do we have to fix something > here for browsers? > > Regards, > M. MAnna >