Article - CS318637

Update and Configure Apache Tomcat to allow ThingWorx to operate in cross-domain environments

Modified: 04-May-2022   

Applies To

  • ThingWorx Platform 8.3 to 9.3
  • Google Chrome
  • Apache Tomcat


  • Google is changing the way in which Chrome version 80 (target release date of February 4, 2020) and later will handle cookies that do not specify a SameSite attribute by default
  • PTC is taking steps to ensure that ThingWorx implementations are not impacted
    • If operating with certain deployment architectures, may need to take additional steps to ensure there is no break in functionality
  • Instances of ThingWorx, PingFederate, and/or Identity Provider residing in different domains will require these additional steps, which include updating and slightly modifying Apache Tomcat
  • Embedded components of ThingWorx in another web application residing in a separate domain (from ThingWorx) will also have to take these additional steps
  • ThingWorx 8.5.3 and later, ThingWorx 8.4.7 and later, ThingWorx 8.3.11 and later are certified against Apache Tomcat 8.5.49 and 9.0.29
    • These versions of Apache Tomcat are also packaged with the ThingWorx installer
    • It is not possible to deploy docker containers for earlier versions of ThingWorx when using Apache Tomcat 8.5.49 or 9.0.29 or later
  • Additionally, certain older web browsers will mishandle or reject cookies specifying a "SameSite=none" attribute. It is highly recommended to update to the latest browser release
    • Please see details below in the “Notes” column and take appropriate action to ensure proper handling of cookies specifying this attribute
This is a PDF version of Article CS318637 and may be out of date. For the latest version click