Skip to Main Content
Forums

ORDS, SODA & JSON in the Database

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

SameSite Cookie Settings in Tomcat Not Applied to ORDS/APEX Cookies

usha raoNov 26 2025 — edited Nov 26 2025

Environment:

  • Oracle APEX version 24.2
  • ORDS version 24.2.3 deployed on Apache Tomcat
  • Tomcat version 9.0.98
  • HTTPS enabled
  • AppSec requirement to enforce SameSite attribute on cookies

Issue Summary:

I am trying to apply the SameSite cookie attribute for browser cookies in an APEX application running through ORDS on Apache Tomcat.I have configured the following in Tomcat’s context.xml:

<Context> <CookieProcessor sameSiteCookies="Lax" /> </Context>

This configuration works perfectly for all Java web applications deployed on the same Tomcat instance — the JSESSIONID cookie correctly shows SameSite=Lax under browser developer tools.

However, when accessing the APEX application via ORDS, the SameSite attribute does not appear on the cookies generated for APEX.
This post has been answered by usha rao on Dec 2 2025
Jump to Answer
Comments
Post Details
Added on Nov 26 2025
9 comments
257 views
1 mention