SameSite Cookie Attribute

The SameSite Cookie attribute controls access to cookies and helps prevent various cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. This attribute tells browsers how to handle first- or third-party cookies and identifies whether to allow a cookie to be accessed.

Horizon ships with the most secure configuration (strict) for its session cookie. This means that the session cookie will not be sent for any cross-site requests. There may be environments where a user wants to relax this enforcement by setting the SameSite attribute to lax.

Relax enforcement policy

To change the enforcement policy, you must edit $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/web.xml:


    <comment>__SAME_SITE_STRICT__</comment> (1)
1 Replace SAME_SITE_STRICT with SAME_SITE_LAX to change the enforcement policy to lax.