How to configure SameSite cookie setting in Gluu Server

VM based deployments

• Open the https_gluu.conf file of your Gluu Server’s Apache.

• Modify like below:

   Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  
   #    Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
   Header edit Set-Cookie ^((opbs|session_state|session_id).*)$ $1;HttpOnly;Secure;SameSite=None
   Header edit Set-Cookie ^((org.gluu.i18n.Locale|current_session|rp_session_id|JSESSIONID).*) $1;HttpOnly;Secure;SameSite=Lax
  
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
  
  

• Restart apache

• Setting should look like below

Kubernetes/CN Deployments

How-to

1. Edit the NGINX ingress ConfigMap:

kubectl -n ingress edit cm nginx-load-balancer-microk8s-conf

2. Add the following under the .data section (create data: if it does not already exist):

data:
  http-snippet: |
    proxy_cookie_flags "~^(opbs|session_state|session_id)" secure httponly samesite=none;
    proxy_cookie_flags "~^(org.gluu.i18n.Locale|current_session|rp_session_id|JSESSIONID)" secure httponly samesite=lax;

3. Verify cookies in your browser developer tools. You should see Secure, HttpOnly, and the expected SameSite attributes applied:

⚠️ WARNING

Adding server-snippet or configuration-snippet directly via ingress annotations may introduce security risks.

Refer to the official ingress documentation for details:
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations-risk/