I have an application that is running as a central service which can be embedded as an i-frame into arbitrary web pages. This application is running within a Wildfly application server and is using server-side sessions with cookies. From the point of view of the browser, these cookies are third-party cookies.
A while ago, Google has announced that they will disable support for third-party cookies in Chrome in 2022. I understand that I will have to rework the architecture of the application if I want it to work with Chrome. Theoretically, I think it should be possible to use sessions without cookies. I could do an OAuth 2.0 authentication via Javascript and send the access token as bearer authentication in each server request. The server could use this token to identify the session.
Unfortunately, I do not want to build a server from scratch, I am using Wildfly to handle the session for me. I know this is an advanced topic, but I would be grateful for some hints how to make Wildfly (or any other Jave EE container) use a different identifier than a cookie to identify the session.
The servlet 3 specs foresees 3 ways for managing sessions:
You can specify desired mode in the
web.xmlof you war:but i think you can also define it globally, I mean on Wildfly level (as default mode)
Useful link: https://www.logicbig.com/tutorials/java-ee-tutorial/java-servlet/session-tracking-mode.html