Modern web development tend to use fronted frameworks with API rest calls to hybris backend. Such approach skips hybris CMS caching system and can lead to performance issues. One of the possible improvement would be to utilize caching on browser side and in such way decrease amount of requests send to server by browser.
SameSite cookie attribute was introduced to improve protection from CSRF attacks by default (read more). 11 August 2020 Chrome changed default behaviour of cookies without SameSite attribute. Starting from that day such cookies would be processed with SameSite=Lax attribute, so cookies would not be sent by default for all third-party POST requests (request made from third-party service to hybris would be also affected).
For example, in case of HOP payment implementation with POST redirect from Payment Provider back to hybris - user will lose his session and see login screen instead of success payment message. Such behaviour encountered due to “JSESSIONID”, “acceleratorSecureGUID” and “storefrontRememberMe” cookies doesn’t specify SameSite attribute.
If someone uses custom tomcat for hybris, be aware that latest version of Tomcat 8.5.32 is not compatible with all versions of hybris and datahub due to implementation in Tomcat of Java EE v.8 specification(EE 5.3.3), which defines that deployment should fail if the lookup element of an annotation or the lookup-name element in a deployment descriptor entry does not specify a name with an explicit java: namespace. This breakable changes was added in apache tomcat commit.