I have two tomcat instances that I've been authenticated to from my browser and one is called from a different domain. Usually after configuring properly cors on this tomcat instance, the request will forward the JSESSION ID and be successful. But Chrome browser (v86.0.4240.80) is not forwarding anymore the JESSION ID and the request is unauthorized.
What could be the issue?
Here is the reason: https://www.chromestatus.com/feature/5088147346030592
You need to set
SameSite=Noneto notify Chrome that JSESSIONID can be forward from another domain. (https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/tomcat/util/http/SameSiteCookies.html)