breautek
commented
1 year ago Set-Cookie is a response header. The client (e.g. Cordova) cannot set this header. This isn't to be confused with the Cookie request header, which is what is sent to the server.
SameSite is part of Set-Cookie, only the server can set this option when setting cookies. The Cookie request header which gets sent to the server will not have SameSite in it's value because it's not relevant. The purpose of the SameSite option is to tell the browser/webview how it should accept the cookie, depending on it's cookie policy, so there is no reason for the browser to send the SameSite configuration back to the server.
Generally speaking, to set the SameSite configuratoin, the server must set the Set-Cookie: cookie-name=cookie-value; SameSite=None; Secure header for the response of a request. How to do that in Tomcat I'm not sure, you may have to refer to their documentation.
Closing because this isn't describing a bug with Cordova.
For support with Cordova, it will be best to raise a topic on the Discussions board.
However, for support with Tomcat, you would probably have better luck going through their support channels.
I have an app with WebView that consumes a tomcat application. In my app previously I used cordova 9.1.0 for Android and the requests to my server came with "SameSite=none" in the "Set-Cookies" session. When upgrading to cordova 11.0.0 for Android, requests to my server don't get this property back and I'm trying to manually add "SameSite=none" in my tomcat/filter. Do you have any treatment for this problem?