it’s only going to be an issue if you are doing cross domain stuff, i.e. loading a page from
Lucee from a different domain and expecting the user to be already logged in
I just use an apache rule to set them
Header edit Set-Cookie ^(.*)$ $1;SameSite=Strict