转发前加上:
String s = response.getHeader("Set-Cookie"); s+="HttpOnly;Secure;SameSite=None"; response.setHeader("Set-Cookie", s);