How to add SameSite attribue to JSESSIONID cookie?

StarLord087 · June 5, 2025, 10:32am

Hi everyone,

I’m currently using Jenkins version 2.492 and I’m trying to explicitly set the SameSite attribute on the JSESSIONID cookie to enhance session security and browser compatibility—especially for cross-origin scenarios (e.g., reverse proxy setups or embedded iframes in internal dashboards).

What I’ve tried so far:

I came across the system property:
-Dhudson.jenkins.security.JettySameSiteCookieSetup.sameSiteDefault=Strict

My questions:

Is this the correct way to ensure that Jenkins sets the SameSite=Strict (or Lax or None) flag on JSESSIONID?
Is this property officially supported in Jenkins 2.492, or is it limited to a specific Jetty version or Jenkins release?
Is there any way to verify via response headers that the SameSite attribute has been successfully applied by Jenkins?
Does Jenkins provide any alternative or plugin-based way to configure cookie attributes for session security?

Any clarification or examples from working setups would be really appreciated. Thanks in advance!

mawinter69 · June 5, 2025, 12:05pm

hudson.jenkins.security.JettySameSiteCookieSetup.sameSiteDefault is very new. It was only released just this week.

StarLord087 · June 5, 2025, 12:52pm

I have also tried the method of using a HttpResponseWrapper and wrapping the response in it code does get compiled but i don’t see the samesite attribute there, i don’t even get any errors

Topic		Replies	Views
How to enable samesite cookie Community	0	473	March 31, 2023
Getting error on console output Using Jenkins	6	1310	April 9, 2025
HSTS Missing From HTTPS Server (RFC 6797) Ask a question question	3	1782	February 16, 2024
HTTPS not working after jenkins upgrade (only HTTP) Using Jenkins question	1	731	June 9, 2023
Set hudson.model.DirectoryBrowserSupport.CSP as default Ask a question	1	29	April 8, 2025

How to add SameSite attribue to JSESSIONID cookie?

What I’ve tried so far:

My questions:

Related topics