How to add SameSite attribue to JSESSIONID cookie?

Hi everyone,

I’m currently using Jenkins version 2.492 and I’m trying to explicitly set the SameSite attribute on the JSESSIONID cookie to enhance session security and browser compatibility—especially for cross-origin scenarios (e.g., reverse proxy setups or embedded iframes in internal dashboards).

What I’ve tried so far:

I came across the system property:
-Dhudson.jenkins.security.JettySameSiteCookieSetup.sameSiteDefault=Strict

My questions:

  1. Is this the correct way to ensure that Jenkins sets the SameSite=Strict (or Lax or None) flag on JSESSIONID?
  2. Is this property officially supported in Jenkins 2.492, or is it limited to a specific Jetty version or Jenkins release?
  3. Is there any way to verify via response headers that the SameSite attribute has been successfully applied by Jenkins?
  4. Does Jenkins provide any alternative or plugin-based way to configure cookie attributes for session security?

Any clarification or examples from working setups would be really appreciated. Thanks in advance!

hudson.jenkins.security.JettySameSiteCookieSetup.sameSiteDefault is very new. It was only released just this week.

I have also tried the method of using a HttpResponseWrapper and wrapping the response in it code does get compiled but i don’t see the samesite attribute there, i don’t even get any errors