Update to Tomcat 9.0.33 - broken cookies

OS: Windows Server 2012 R2 Standard
Java Version: 1.8.0_66 (Oracle Corporation) 64bit
Tomcat Version: 9.0.33
Lucee Version:

This is the Chrome error:
A cookie associated with a cross-site resource at http://www.mysite.com/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

To get rid of the error I updated to Tomcat 9.0.33 (AND updated to this new version of Lucee) which has the cookieProcessor support.
tomcat\conf\context.xml I added the following:
< CookieProcessor className=“org.apache.tomcat.util.http.Rfc6265CookieProcessor” sameSiteCookies=“none” / >

After doing all of this the cookies seem to not work. Unless the url contains the cfid and cftoken the session is lost. So stuff like our session based shopping carts are lost. Session variables that keep logged in variables are gone, so users are sent to the login page, etc.
I suspected it was related to updating to Tomcat 9.0.33, however after restoring the lib and bin folders back to Tomcat version 8.0.28, restating Lucee and IIS, the issue persists.

Lucee Admin Server and Web Scope has the following settings:
Sesstion Type: Application, Session Management, Client Cookies. Session Storage: Memory, Client Storage: cookie

I’ve spent 2 days trying to get all of this to work. Does anyone have suggestions for me to look at? I’ve exhausted my options and have no one else to help me troubleshoot this. Thanks!

Maybe as a workaround, you could change the cookies response header with an IIS outbound rule and URLRewrite. Found a post by pete freitag


Note: NOTE: There is currently a bug affecting Mac OSX and iOS which causes SameSite=None cookies to be inadvertently treated as SameSite=Strict and therefore not sent with cross-site requests. (See https://bugs.webkit.org/show_bug.cgi?id=198181) Until this is fixed, SameSite=None may not work properly on Safari.*


This is a Chrome security enhancement, that has nothing to do with Tomcat per se. This was introduced to chrome 80 and anounced here https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html?m=1