recently i read this in github.
Currently, Kibana does not set the SameSite attribute on its session cookie. Up until recently, this was tolerable, but Chrome recently (version 80 ) updated its default configuration to treat unset SameSite attributes to mean Lax.
This is problematic for users who embed Kibana in an iframe. We should allow the SameSite setting to be configurable via kibana.yml , so users can choose if they want Strict , Lax , or None.
Can anyone tell me how to configure this setting (xpack.security.sameSiteCookies) in a proper format in kibana.yml file, our kibana servers are running in elastic cloud. @azasypkin @wylie
i applied this setting xpack.security.sameSiteCookies: None in kibana.yml file and i am getting the following error. 
This looks correct to me, but it's only a valid setting since 7.8.1 (and additionally 6.8.11). What version of the stack are you using?
Best,
Oleg
Then you'll need upgrade to 7.8.1 or newer (you can safely do this for patch releases).
Is there an option to set the parameters xpack.security.secureCookies: true and xpack.security.sameSiteCookies: None in the cloud hosted environment on https://www.elastic.co? It seems that these are still not supported there.
Can the cloud environment give us access to the server, and we can set the cookie parameters there, depending on the type of server, Nginx, etc?
the solution to this issue is you should add this line/setting in your kibana.yml file xpack.security.sameSiteCookies: None and your ELK stack version should be above 7.8.0
2 Likes
yes you can do this in cloud hosted environment. we did the above changes in kibana.yml file on our cloud hosted environment. only admins have access to do this.below is the url https://cloud.elastic.co/login?redirectTo=%2Fhome
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.