SameSite cookies configuration

book

Article ID: 221961

calendar_today

Updated On:

Products

Clarity PPM On Premise

Issue/Introduction

How to set SameSite Value to Lax in Clarity?

 

The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context.

Note: Standards related to the Cookie SameSite attribute recently changed such that:

  • The cookie-sending behavior if SameSite is not specified is SameSite=Lax.Previously the default was that cookies were sent for all requests.
  • Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context/HTTPS).

 

Cause

Configuration

Environment

Release : 15.8.1 and higher

Component : CLARITY SECURITY INTEGRATION

Resolution

On Premise Customer Only

  • Clarity configured to run as as HTTPS, then Use Secure Session Cookie setting in CSA can be used and no need to set SameSite Value to Lax
  • Clarity configured to run as as HTTP and  and the requirement to set SameSite Value to Lax then below steps to be followed
    • Stop all the Clarity Services
    • Login to database using any database client and execute the below update 
      • UPDATE CMN_OPTION_VALUES SET VALUE = 'Lax' WHERE OPTION_ID = (SELECT id FROM cmn_options WHERE option_code = 'LOGIN_COOKIE_SAMESITE_VALUE')
    • Restart all the clarity service and check the cookie value in the browser trace and it should be coming as Lax.