SameSite Cookie Attribute

The SameSite Cookie attribute controls access to cookies and helps prevent various cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. This attribute tells browsers how to handle first- or third-party cookies and identifies whether to allow a cookie to be accessed.

Horizon ships with the most secure configuration (strict) for its session cookie. This means that the session cookie will not be sent for any cross-site requests. There may be environments where a user wants to relax this enforcement by setting the SameSite attribute to lax.

Relax enforcement policy

To change the enforcement policy, you must edit $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/web.xml:

+

<session-config>
  <cookie-config>
    <http-only>true</http-only>
    <secure>false</secure>
    <comment>__SAME_SITE_STRICT__</comment> (1)
  </cookie-config>
  <session-timeout>-1</session-timeout>
</session-config>
1 Replace SAME_SITE_STRICT with SAME_SITE_LAX to change the enforcement policy to lax.