Hi everyone,
I’m currently using Jenkins version 2.492 and I’m trying to explicitly set the SameSite
attribute on the JSESSIONID
cookie to enhance session security and browser compatibility—especially for cross-origin scenarios (e.g., reverse proxy setups or embedded iframes in internal dashboards).
What I’ve tried so far:
I came across the system property:
-Dhudson.jenkins.security.JettySameSiteCookieSetup.sameSiteDefault=Strict
My questions:
- Is this the correct way to ensure that Jenkins sets the
SameSite=Strict
(orLax
orNone
) flag onJSESSIONID
? - Is this property officially supported in Jenkins 2.492, or is it limited to a specific Jetty version or Jenkins release?
- Is there any way to verify via response headers that the
SameSite
attribute has been successfully applied by Jenkins? - Does Jenkins provide any alternative or plugin-based way to configure cookie attributes for session security?
Any clarification or examples from working setups would be really appreciated. Thanks in advance!