Rowan Merewood

I'm not super familiar with Rails, but looking around your configuration does look correct - as in, I would expect this to add `SameSite=Strict` to your `Set-Cookie` header. Can you...

Short answer: yes, any cross-site cookies must be `SameSite=None; Secure`. Options: - Can you have your internal sites as subdomains? e.g `http://app1.internal`, `http://app2.internal`? - Can you provision free certificates via...

Those `header()` calls are examples of how to set a cookie with those attributes. You cannot drop them in directly, you need to replace the places where you are setting...

I see that https://github.com/django/django/pull/11894 is addressing this. I'll drop in a page asap.

This sounds as if you might have "Block third-party cookies" enabled in the browser. You can check this in: Settings → Site Settings → Cookies and site data → Block...

Thoughts on this: - Is it necessary for these to be wholly separate sites as opposed to separate sub-domains? e.g. `foo.com` and `usercontent.foo.com`. Requests between these would not be cross-site...

Apologies, I don't have recent Tomcat experience, so just trying to understand. Is this to set `None` for a specific cookie or is it setting it for all cookies?

Would you be able to change this to show setting `SameSite=Lax` for the default value and how to set `SameSite=None` for specific cookies that need it? I appreciate the contribution,...

The cookies are likely coming from Google Analytics, not your site. If you are using third-party services with cookies on your site, it's the provider of the service that needs...

I wasn't able to find any documentation on Weblogic supporting the SameSite attribute for cookies at all. There is [this thread in the support forum](https://community.oracle.com/thread/4307146). I would suggest commenting there...