My App Server is running an older version of Wildfly (v. 15.0.1.Final). The content served from the server is embedded within a partner site (as an IFrame). This embedded approach stopped rendering on Chrome and Edge recently, while it still works on Firefox. The debugging utilities indicate that the cookie’s SameSite attribute was not set and that it should be set to SameSite=None, which would enable the cross-site operations.
However, I am not sure if there is a way to do this on Wildfly 15. There are instructions online that provide details how to config the Wildfly 19+ (How to set samesite cookie on WildFly 20?) but I couldn't find anything for older versions.
I tried the above and a couple of related suggestions, none worked. Does anyone know if this is possible and if so, how to do it?
This is not a Wildfly behaviour - it is browser behaviour first introduced in RFC6265bis and now more widely implemented. Section 5.2 describes the Same Site calculation. These updates to cookie behaviour are to protect user privacy and prevent unwelcome user tracking across sites.
This means that third party iframes are a design to avoid these days. The user is not informed of the content's origin, and in such a deployment the calculation marks the iframe's cookies as third party and they are dropped aggressively.
For a while, using
SameSite=none, Securecookie properties has worked in some browsers. I always recommend testing in the Safari browser first though, since it has strict settings and this type of solution has not worked for a number of years.FUTURE PROOF SOLUTION?
As a consequence of security restrictions, it has become more common for companies to share data via APIs rather than UI composition. This type of solution could also involve providing some frontend code, that the customer integrates in their preferred way, eg a div or first party iframe.
The browser frontend would then route to your servers via its own backend, or via a reverse proxy in the same site as the host application's web origin. All cookies will then be first party and not dropped. This type of deployment requires more work but is also more future proof.