Session Cookies with sameSiteCookies set to Strict

As of Siebel CRM 21.3 Update, the following session cookies default to sameSiteCookies="Strict":

• JSESSIONID

• _sn_<application>_<lang>

If required, you can change this behavior as described in the following procedure. Before doing so, however, you must have a full understanding of the security impact of modifying this behavior when Siebel communicates with external sites.

To modify sameSiteCookies

1. Open the context.xml file located here:

   <Application Interface Install Location>\conf\context.xml

2. Modify sameSiteCookies="Strict" by setting sameSiteCookies to a new supported value available on all browsers used by end users that meet the security parameters for your organization.

   In the following example, sameSiteCookies has been changed to "None":

   <CookieProcessor 
   className="org.apache.tomcat.util.http.LegacyCookieProcessor" 
   sameSiteCookies="None" />

3. Restart the application interface for the changes to take effect.

Note: Siebel session cookies are already marked as Secure - that is, the Secure attribute is assigned to all session cookies by default.