Session Cookie - SameSite

Hi @patrick
I’m testing a capacitor mobile app on web but the session id cookie is not being set because the samesite attribute is missing so it defaults to Lax. I’m concerned that because different devices use different hostnames under Capacitor that sessions may be inconsistent at best.

Is it possible to set this to None as a default for the web (API) project? (or a project option to set it as None)

There is also another issue with cookies and their options

If set to SameSite None when setting a cookie, the remove step does not issue the same options and therefore does not actually remove it:

Having a similar issue on logout. It looks like the Response Header is trying to clear out the cookie, but SameSite was not set so it defaulted to lax and blocked the Set Cookie.


I have set the Security Provider to “None”, but the Logout action seems to not follow it.

Good day, @patrick. Are you able to assist with our logout issue?

You can test the following update: (5.3 KB) unzip to lib/core.

Thanks @patrick! That appears to resolve the issue for me. @bpj let us know if it helps you as well.