SameSite Cookie Attribute
The SameSite Cookie attribute controls access to cookies and helps prevent various cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. This attribute tells browsers how to handle first- or third-party cookies and identifies whether to allow a cookie to be accessed.
Horizon ships with the most secure configuration (strict
) for its session cookie.
This means that the session cookie will not be sent for any cross-site requests.
There may be environments where a user wants to relax this enforcement by setting the SameSite attribute to lax
.
Relax enforcement policy
To change the enforcement policy, you must edit $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/web.xml
:
+
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>false</secure>
<comment>__SAME_SITE_STRICT__</comment> (1)
</cookie-config>
<session-timeout>-1</session-timeout>
</session-config>
1 | Replace SAME_SITE_STRICT with SAME_SITE_LAX to change the enforcement policy to lax . |