Question
Infosys
NL
Last activity: 29 Mar 2021 9:50 EDT
Change JSESSIONID cookie samesite attribute to "None" for Chatbot mashup
Hello,
We are implementing Webchatbot and this mash-up uses two cookies JSESSIONID and PegaRULES. Chatbot works fine in Firefox but not in Chrome. Upon analysis, we found that the Chrome is blocking the cookies in cross site context if the cookie's samesite attribute value is not set.
We updated the PegaRULES samesite value using a DSS but how to set the JSESSIONID cookie's samesite in Pega?
We understand that JsessionID is set by application server, not Pega. If the cookie samesite is not set then the Chatbot is not working.
Our IT-ops team doesn't want to update this cookie as it might affect other Pega applications as well and concerned about security.
Note: In CSRF settings landing page, I enabled the SameSite and set it to "None" but this is not setting the JSESSIONID cookie.
Pegasystems Inc.
US
@Srikrishnakanth Typically, these issues are resolved by not making the cookies third party. We used a reverse proxy to make the domain of the host page to be the same as the pega server url that's specified in the helper file. This would also prevent the Pega server URL available to the browser. The reverse proxy can map the URL to the internal PRChat servlet URL.
Infosys
NL
@Amit_Patel Thank you.
Out IT team says that this solution is not going to work as per our current Pega setup. They have to change the tomcat layer to also allow traffic from different domain.
Is there any other way we could fix this?
Macif
FR
Hello,
Maybe you can use this :
https://tomcat.apache.org/tomcat-8.0-doc/config/cookie-processor.html
You have to added it in a new context.xml file under your webapp src directory to not have an impact on other webapps but override the context file from conf directory.