Since version 80, Chrome, and later Safari, introduced a new model for cookie security. This mode is designed to introduce security controls around availability of cookies to third-party sites, through a setting called
SameSite. For more detailed information, see this article.
The default value of this setting (
In order to get around this, you need to set the SameSite cookie attribute to
None for the login token.
SameSite=None setting is only applied if the protocol is secure (HTTPS).
If the protocol is not secure (HTTP), then the setting is ignored and the server will show this WARN message:
WARN com.day.crx.security.token.TokenCookie Skip 'SameSite=None'
You can add the setting by following the below steps:
None, as shown in the image below
Once this setting is updated and users are logged out and logged in again,
login-token cookies will have the
None attribute set and will be included in cross-site requests.