Skip to content

Setting the SameSite Attribute

To help prevent cross-site request forgery attacks, the default SameSite attribute on the session server cookie has been updated from None (less restrictive) to Lax (more restrictive).

With the attribute set to Lax, the session server cookie will not be sent on cross-site requests as is often the case with the JavaScript SDK and in SAML authentication.

This change affects two areas of HACloud:

  • The JavaScript SDK and
  • SAML authentication behind a load balancer

In these cases you'll need to adjust the attribute value to None by:

  1. Opening in a text editor. The default location for this file is ./sessionserver/conf/.

  2. Adding the following line to


  3. Restarting the session server.