_LEGACY cookies was introduced in Keycloak as a work-around to SameSite enforcement in browsers. As time has past SameSite for cookies is widely supported and this work-around is no longer required.

One caveat to the above is that the _LEGACY cookies also served another purpose, which is they where available in an insecure context, while the regular cookies are not. This results in login not working as expected when accessing a Keycloak deployment not through localhost, but through http rather than https. This is of course not recommended at all in production, but frequently used during development or testing. An alternative to the above is conditionally set the secure flag on cookies only when access over a secure context, as well as changing SameSite=None cookies to SameSite=Lax as user-agents will not send cookies with SameSite=none if they do not have the secure flag set.