Some browsers do not longer accept cookies without a "sameSite" value set.
We changed the internal used cookies to write "sameSite=Strict" now. This ist true for the followig cookies
- WGPID
- WGLastRedirectHex
- WGSESSIONID / WGSECURESESSIONID (if used)
In addition we added new methods to api.Cookie:
setSameSite(value) // set sameSite value (default=Strict)
setValue(value, "hex"|"base64") // encode value to HEX or Base64
getValue("hex"|"base64") // decode value from HEX or Base64
write() // write cookie to HTTP-Header
All setters now return the cookie object itself to that methods can be chained.
Sample:
WGA.Call().createCookie("my-cookie")
.setValue("some value", "base64")
.setSameSite("Strict")
.write()
Note:
- WGA.Call().addCookie() is unchanged and does NOT set sameSite value. Use the new Cookie.write() method instead.
About JSESSIONID cookie:
This cookie is created and managed by the underlying App-Server (tomcat) and we have no influence here. This means that this cookie still does not write a sameSite value to the cookie.
To avoid this you should use the optional OpenWGA session management. In this case a WGSESSIONID cookie is created. Because this cookie is under our control we set samesite=Strict on this cookie.