Enabling Samesite Cookie

Enabling SameSite Cookie

   KB 24416        Last updated on 2022-03-30  

(0 votes)


From Kepler-Patch-24 and Joule-Patch-31 onwards, customers can now make use of SameSite cookie for additional security when using the Web App.

Enabling SameSite cookie

A localconfig attribute zimbra_same_site_cookie has been added. The default value is set to Strict. To change the value, execute the following command as a zimbra user:

  • To enable the SameSite cookie in Lax mode:
zmlocalconfig -e zimbra_same_site_cookie=Lax
  • To disable the SameSite cookie:
zmlocalconfig -e zimbra_same_site_cookie=None
  • Restart zmmailboxdctl service to make the changes effective:
zmmailboxdctl restart

Verifying SameSite cookie

The value of the SameSite cookie can be verified through the browser's developer console. Navigate to Storage -> Cookies. Click on the Web App link. In the table, check the value of SameSite for ZM_AUTH_TOKEN. It should be set to Strict if the value is set as Strict, Lax If the value is set to Lax, None if the cookie is disabled.

Jump to: navigation, search