Hello Abirami, Well, strict does what it promises, so if those third-party rest services were expecting some cookies that now are not being sent by the browser, it is normal that they do not work as expected.
Internal implementation: sure! You can always have a look at the code of the different CookieProcessors [1] & [2] Hope it helps, Luis [1] https://github.com/apache/tomcat/blob/f3c9fdd40bdbc3dc22b512596954e2bc6d424d5a/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java [2] https://github.com/apache/tomcat/blob/623b2c9d0997481f1c5229135fa2f92e24303e47/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java El mar., 9 jun. 2020 a las 7:59, S Abirami (<s.abir...@ericsson.com.invalid>) escribió: > Hi Team, > > In our product to address security vulnerability in context.xml, we > have introduced following entry > > <CookieProcessor sameSiteCookies="strict" /> > > > After introducing the above line, I noticed few rest service which is not > deployed in that Tomcat also getting impact. > > Deployment Details > > Deployed : RHEL > Tomcat Installation format : tar.gz > > Hence, interested to know about the internal implementation of the > context in Tomcat to understand the impact. > > Thanks in advance for the support. > > Regards, > Abirami.S > > > > > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett
