A common legacy-app routing setup looks like this:

reverse_proxy tomcat_serverA:8080 tomcat_serverB:8080 {
    lb_policy cookie
}

The result might be:

$ curl -I https://demo.example/portal/
HTTP/2 200
cache-control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
content-type: text/html;charset=UTF-8
date: Fri, 16 Feb 2024 21:54:13 GMT
pragma: no-cache
server: Caddy
set-cookie: lb=b4b924ab173004e449881468ab25c0aa4197efd974ae8c007a7164869c261a69; Path=/

The problem for a Chrome user is that if they arrive from a third-party link, the lb cookie will not be sent to Caddy as the cookie was not set with SameSite=None property.

While setting SameSite=None is a fun debate for applications and their CSRF protections, Caddy doesn't have a potential CSRF vulnerability so SameSite=None as the default makes sense. We want the "sticky" user to always end up on the same upstream if they come from a third-party website, from a bookmark, or from a same-site link.