Chrome browser, cross-site cookies new secure by default behavior

Hi guys,
As you might already know starting with Chrome v84 a secure-by-default model has been introduced to cookies which do not have the SameSite attribute set. So all cookies which do not set this value will be considered by the browser as “SameSite=Lax”, hence these cookies can be accessed only from the origin. More info here

This means that if you had embedded Confluence content in another domain (e.g via an iframe) now it will fail to render if the browser you are using to access the content is Chrome. This because the value SameSite is not set for the JSESSIONID cookie (or other cookies) which is used to share the authentication and the browser will block it.
Of course in that case a message comes out saying you are not logged in even though you have done so already.

The most convenient option to fix this is to set the SameSite value to None and Secure for this cookie, but unfortunately this is something which has to be done internally in Confluence/Jira where this cookie is first generated and where the needed headers are applied on creation.

Setting the attribute “SameSite=None; Secure” would allow the reuse of this cookie cross-site only via HTTPS.

I was wondering if anyone else is having the same issue and if yes do you know if Atlassian is planning to fix it anytime soon?


We are running into the exact same issue! We need a solution to automatically get our Jira ServiceDesk (server) users a Confluence cookie. The iframe worked fine for a while, and now is broken due to what Andi described above. We are using Refined for Jira ServiceDesk for the iFrame. If anyone has any solution or workaround for this problem, I would greatly appreciate it. Thank you!

@WillBalson, well you could use the solution provided by Tobias here at this bug if you need a quick workaround :slight_smile: