Cannot log into app with 9.20.0

With Mendix 9.20.0, we can no longer log into our SAP Cloud app. The login page shows, but clicking the xsuaa login button reloads the login page, and does not show the homepage. The microflow that decides between the login page and the homepage thinks the current user is anonymous, even though after clicking the login button and being redirected to the xsuaa, he should no longer be. In Mendix 9.19.0, there is no problem: the microflow does correctly see that the user is no longer anonymous at that point. We use XSUAA Connector for SAP v.2.1.9. In the browser developer tools, we noticed that the 9.20.0 cookie is different from the 9.19.0 cookie. An extra name __Host-XASSESSIONID appears on top of the existing name XASSESSIONID that appears in both 9.19.0 and 9.20.0.  Could it be that Mendix picks up only XASSESSIONID and ignores __Host-XASSESSIONID, even though the latter might contain an association to the logged in user?  What could be a way forward here? 
2 answers

I had it confirmed from Mendix support that this is a general issue for OIDC as well (also already included in the docs). It seems to affect most forms of SSO in 9.20+ . In my case, the ticket is open, awaiting a fix, and I rolled back my app to an older version in the meanwhile.


For those of you that are using the SAP XSUAA module, the support team has suggested a fix. You can change line 373 in the file to the following. It worked for us.

response.addCookie(SESSION_ID_COOKIE_NAME, session.getId().toString(), "/", "", -1, true,true);