This is a feature request for supporting custom cookie attributes as described in the Jakarta Servlet 6.0 specification under https://github.com/jakartaee/servlet/issues/175

As discussed in the issue, the SameSite attribute has not been added to the jakarta.servlet.http.Cookie interface so far, because the RFC is still a draft, although the attribute is widely supported by web browsers. However, custom attributes have been added and implementation in Undertow would be much appreciated.

I have attached a reproducer based on the numberguess WildFly quickstart: numberguess.zip

The quickstart has been enhanced with the following class, that demonstrates the requested feature:

package org.jboss.as.quickstarts.numberguess;

import jakarta.servlet.ServletContextEvent;
import jakarta.servlet.ServletContextListener;
import jakarta.servlet.SessionCookieConfig;
import jakarta.servlet.annotation.WebListener;

@WebListener
public class ContextListener implements ServletContextListener {
    @Override
    public void contextInitialized(ServletContextEvent servletContextEvent) {
        SessionCookieConfig sessionCookieConfig = servletContextEvent.getServletContext().getSessionCookieConfig();
        sessionCookieConfig.setSecure(true);
        sessionCookieConfig.setHttpOnly(true);
        sessionCookieConfig.setAttribute("SameSite", "Strict"); // or sessionCookieConfig.setSameSite(true);
    }
} 

You can run the quickstart by executing:

$ mvn clean package wildfly:start

Open a browser and the browser's network analyzer and go to http://localhost:8080/numberguess/home.jsf

See, that Secure and HttpOnly have been added to the Set-Cookie header, but SameSite is missing.