Knowledge Base
Published Jun. 30, 2025

How to set SameSite cookie attribute to Strict within Tomcat

Written By

Kanchan Bisht

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Issue

  • How can I adjust the JSESSIONID cookie's SameSite attribute from None to Strict?

Environment

  • Liferay DXP 7.1 - 7.4

Resolution

The JSessionID cookie's attributes are set by your application server or web server. When using a Liferay environment with a bundled Tomcat application server, you can use the following steps to achieve this result:

  1. Stop the application server
  2. Navigate to tomcat/conf/context.xml
  3. Update the CookieProcessor element to set sameSiteCookies in the HTTP response header:
    1. <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="strict" />
  4. Clear all temp folders:
    1. [Liferay_Home]/osgi/state
    2. [Liferay_Home]/work
    3. [Liferay_Home]/[Tomcat_Home]/work
    4. [Liferay_Home]/[Tomcat_Home]/temp
  5. Restart the server

After doing so, the SameSite attribute in stored cookies will include "strict."

Prior to Tomcat versions 9.0.28 (or 8.5.48 for the 8.5x branch), the SameSite attribute will not be set if the value is NONE. As this causes issues with the session cookie in Chrome version 80+, upgrade your Tomcat version to 9.0.28+ when using the above steps. See Impact of Google Chrome 80 and changes in the default behavior of the SameSite cookie setting on SAML for more information.

Did this article resolve your issue ?

Knowledge Base