For better security, Digital.ai Release 22.1 and later support the sameSite attribute of the Set-Cookie HTTP response header allowing session cookies to be restricted to a first-party or same-site context.
Valid values for the new xl.server.http.cookie.sameSite configuration parameter are Lax and Strict.
For sites that use OIDC, the sameSite parameter must always be set to Lax.
For remember-me, the sameSite parameter must always be set to Strict.
Example sameSite Cookie Configuration in the xl-release.conf file