The config options prefixed cae.cookie control the CAE's behavior when sending cookies. It is now possible to configure the value of the SameSite attribute and whether or not to force all cookies to Secure and HttpOnly . By default the same site strategy is None and cookies are forced to Secure and HttpOnly .

(CMS-18595)