SameSite Cookie Attribute
The SameSite Cookie attribute controls access to cookies and helps prevent various cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. This attribute tells browsers how to handle first- or third-party cookies and identifies whether to allow a cookie to be accessed.
Horizon ships with the most secure configuration (
strict) for its session cookie.
This means that the session cookie will not be sent for any cross-site requests.
There may be environments where a user wants to relax this enforcement by setting the SameSite attribute to
To change the enforcement policy, you must edit
<session-config> <cookie-config> <http-only>true</http-only> <comment>__SAME_SITE_STRICT__</comment> (1) </cookie-config> <session-timeout>-1</session-timeout> </session-config>