Hi. I am using 189-snapshot (express).
I have defined this.sessionCookie.sameSite = ‘lax’ in application.cfc, but the samesite is not set for cfid and cftoken. I would like to know how to set it.
I also added
<CookieProcessor sameSiteCookies='lax'/>
to tomcat’s conf/context.xml, but that doesn’t seem to work either.
Hi @reefle WELCOME!
I just did a quick test: I’ve opened the default welcome app and added the following application.cfc:
component {
this.Name = "samesiteCookieTest";
this.sessionTimeout = CreateTimeSpan(0, 0, 5, 1);
this.sessionManagement = true;
this.sessionCookie = { httpOnly=true, sameSite = "lax" };
this.setclientcookies = true;
this.sessionType = "cfml";
}
and it worked:
Does it also happens if you open the page directly through port 8888?
For some reason I’m now seeing also something strange… in my example now the cookies aren’t being generated at all 
but as soon as I add: this.clientmanagement="true";
component {
this.Name = "samesiteCookieTest";
this.clientmanagement = "true"
this.sessionTimeout = CreateTimeSpan(0, 0, 5, 1);
this.sessionManagement = true;
this.sessionCookie = { httpOnly=true, sameSite = "lax" };
this.setclientcookies = true;
this.sessionType = "cfml";
}
Then the session cookies get generated along with the client cookies. I wonder why I had that image I shared?
Thank you for your help. I solved it.
It was apparently not a Lucee problem. I may have had a problem with the Developer Tool in Chrome.
I restarted Lucee, opened the URL from a new tab, also cleared the cache, and reloaded the cookies, …!! 
Lax was added. Apparently I wasted about an hour of my time… 
Thanks you andreas !
Maybe I’m having the same issue now with my dev tool 
going to shut my notebook down. Maybe it’s a good time to get some sleep
Always test cookies with curl or a fresh incognito browser (I.e a fresh session), otherwise it gets confusing as existing cookies don’t get updated
