Cookie Settings for PoolParty

04/09/2025

You can use the SameSite and HttpOnly cookie flags to make the PoolParty managed cookies more secure.

The SameSite cookie flag prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks.

The HttpOnly cookie flag is a tag added to a browser cookie preventing client-based scripts from accessing data. It provides a gate preventing the specialized cookie from being accessed by anything other than the server. Using the HttpOnly tag when generating a cookie helps to mitigate the risk of client-based scripts accessing the protected cookie, thus making these cookies more secure.

By default, PoolParty comes with the HttpOnly flag activated and the SameSite flag set to lax.

Activate or Deactivate the HttpOnly Flag

Open the settings file located in PPAppDir/tomcat/conf/web.xml
Find the cookie-config section (web-app > session-config > cookie-config) and set the value inside of the http-only element to true or false.
Restart the PoolParty server for the changes to take effect.

Set the SameSite Flag

Open the settings file located in PPAppDir/tomcat/conf/context.xml
Find the CookieProcessor section and set the value of the sameSiteCookies attribute to one of the following: strict, lax, none, unset. For more information on the individual values, refer to the Apache Tomcat documentation.
Restart the PoolParty server for the changes to take effect.

In this section: