Same Site Cookie Support for Adobe Experience Manager as a Cloud Service same-site-cookie-support-for-adobe-experience-manager-as-a-cloud-service

Since version 80, Chrome, and later Safari, introduced a new model for cookie security. This mode is designed to introduce security controls around availability of cookies to third-party sites, through a setting called SameSite. For more detailed information, see this article.

The default value of this setting (SameSite=Lax) might cause authentication between AEM instances or services to not work. This is because the domains or URL structures of these services might not fall under the constraints of this cookie policy.

To get around this, set the SameSite cookie attribute to None for the login token.

The SameSite=None setting is only applied if the protocol is secure (HTTPS).
If the protocol is not secure (HTTP), then the setting is ignored and the server shows this warning message:
WARN Skip 'SameSite=None'

You can add the setting by following the below steps:

  1. Install a version of the AEM SDK Quickstart locally
  2. Go to the Web Console at http://serveraddress:serverport/system/console/configMgr
  3. Search for and click the Adobe Granite Token Authentication Handler
  4. Set the SameSite attribute for the login-token cookie to None, as shown in the image below
  5. Click Save
  6. Generate the JSON format configurations for this particular setting by following the steps outlined in Generating OSGi Configurations using the AEM SDK Quickstart
  7. Apply the settings by following the steps in the Cloud Manager API Format for Setting Properties OSGi documentation.

After this setting is updated and users are logged off and logged on again, login-token cookies have the None attribute set and is included in cross-site requests.