Posted: 18 Feb 2021 8:04 EST Last activity: 19 Feb 2021 9:37 EST
Change JSESSIONID cookie samesite attribute to "None" for Chatbot mashup
We are implementing Webchatbot and this mash-up uses two cookies JSESSIONID and PegaRULES. Chatbot works fine in Firefox but not in Chrome. Upon analysis, we found that the Chrome is blocking the cookies in cross site context if the cookie's samesite attribute value is not set.
We updated the PegaRULES samesite value using a DSS but how to set the JSESSIONID cookie's samesite in Pega?
We understand that JsessionID is set by application server, not Pega. If the cookie samesite is not set then the Chatbot is not working.
Our IT-ops team doesn't want to update this cookie as it might affect other Pega applications as well and concerned about security.
Note: In CSRF settings landing page, I enabled the SameSite and set it to "None" but this is not setting the JSESSIONID cookie.
@Srikrishnakanth Typically, these issues are resolved by not making the cookies third party. We used a reverse proxy to make the domain of the host page to be the same as the pega server url that's specified in the helper file. This would also prevent the Pega server URL available to the browser. The reverse proxy can map the URL to the internal PRChat servlet URL.