Version: Release 24.1

HTTP sameSite Cookie Configuration

This topic explains the sameSite attribute for session cookies in Digital.ai Release 22.1 and later, enhancing security by restricting cookies to first-party or same-site contexts.

For better security, Digital.ai Release 22.1 and later support the sameSite attribute of the Set-Cookie HTTP response header allowing session cookies to be restricted to a first-party or same-site context.
Valid values for the new xl.server.http.cookie.sameSite configuration parameter are Lax and Strict.
For sites that use OIDC, the sameSite parameter must always be set to Lax.
For remember-me, the sameSite parameter must always be set to Strict.

Example sameSite Cookie Configuration in the `xl-release.conf` file

xl {
    ...
    server {
        http {
            cookie {
                sameSite = Lax
            }
        }
    }
    ...
}

Example sameSite Cookie Configuration in the xl-release.conf file​

Example sameSite Cookie Configuration in the `xl-release.conf` file