APAR status
Closed as new function.
Error description
We need to investigate and design a way to add the SameSite attribute to cookies added via the Servlet API by applications as well as the session Cookie created by Open Liberty. In addition we should investigate any other cookies that we set as part of the runtime and determine if we need to add a configuration for SameSite to those cookies as well. Jakarta Servlet Spec Issue: https://github.com/eclipse-ee4j/servlet-api/issues/175 RFE Link: https://www.ibm.com/developerworks/rfe/execute?use_case=viewChan geRequest&CR_ID=119022 Open Liberty Epic: https://github.com/openliberty/open-liberty/issues/10086
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * **************************************************************** * PROBLEM DESCRIPTION: SameSite Cookie Support in WebSphere * * Application Server * **************************************************************** * RECOMMENDATION: * **************************************************************** WebSphere Application Server does not support adding the SameSite cookie attribute to cookies added through the HttpServletResponse.addCookies API. There is also no support for the SameSite attribute on the Session or Security (ltpa/jwt) Cookies.
Problem conclusion
The HTTP Channel can now be optionally configured to provide comma delimited lists of cookie names or patterns for which a specific SameSite attribute will be attributed to. You can specify a single wildcard character (*) as a stand-alone value, or as a character that follows a cookie name prefix. Any cookie name or pattern in the list must be unique and not in any of the other SameSite configuration lists. These lists are set as HTTP Channel custom properties using the names: 'sameSiteLax', 'sameSiteNone', or 'sameSiteStrict'. If the HTTP Channel processes a cookie or a Set-Cookie header that does not contain a SameSite attribute, the name will be compared with the values of the 'sameSiteLax', 'sameSiteNone', and 'sameSiteStrict' lists. If a match if found, the corresponding SameSite attribute is applied. When the SameSite attribute is applied by the HTTP Channel, if the value is 'None', the Secure cookie attribute is also set. In the administrative console, navigate to the following panel to add these HTTP Channel properties: WebSphere application servers > server_name. Under Web Container Settings, click Web container transport chains > chain_name > HTTP inbound channel > Custom properties The SameSite attribute value can also be set for the single sign-on (SSO) associated with a Lightweight Third Party Authentication (LTPA) cookie. The trust association interceptors (TAIs) that write cookies and the OAuth provider accept the value of this core security property. The TAIs include OpenID Connect (OIDC), OpenID, and SAML. This can be set in the administrative console as a custom property by navigating to: Security > Global security > Custom properties. Use the property name of 'com.ibm.websphere.security.addSameSiteAttributeToCookie' with possible values of 'Lax', 'Strict', or 'None'. By default, the custom property is disabled and the SameSite attribute is not set on the SSO, OAuth, and TAI cookies. Session cookies can also have the SameSite attribute by specifying the 'CookieSameSite' custom property under the Session Management panel. This can be seen by navigating to: Servers > Server Types > WebSphere application servers > server_name > Session management The 'CookieSameSite' property can be set to the values of 'Lax', 'Strict', 'None', or Disabled (default). When set to 'None', the Secure attribute is set on the session cookie as well. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.18, 9.0.5.4, and Liberty 20.0.0.3. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553 . The Git issue associated to this feature can be found here: https://github.com/OpenLiberty/open-liberty/issues/10086
Temporary fix
Comments
APAR Information
APAR number
PH22157
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-02-13
Closed date
2020-06-12
Last modified date
2024-03-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Document Information
Modified date:
25 March 2024