IBM Support

PH22157: ADD SUPPORT FOR THE SAMESITE COOKIE ATTRIBUTE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as new function.

Error description

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: SameSite Cookie Support in WebSphere    *
    *                      Application Server                      *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    WebSphere Application Server does not support adding the
    SameSite cookie attribute to cookies added through the
    HttpServletResponse.addCookies API. There is also no support
    for the SameSite attribute on the Session or Security
    (ltpa/jwt) Cookies.
    

Problem conclusion

  • The HTTP Channel can now be optionally configured to provide
    comma delimited lists of cookie names or patterns for which a
    specific SameSite attribute will be attributed to. You can
    specify a single wildcard character (*) as a stand-alone
    value, or as a character that follows a cookie name prefix.
    Any cookie name or pattern in the list must be unique and not
    in any of the other SameSite configuration lists. These lists
    are set as HTTP Channel custom properties using the names:
    'sameSiteLax', 'sameSiteNone', or 'sameSiteSrict'.
    
    If the HTTP Channel processes a cookie or a Set-Cookie header
    that does not contain a SameSite attribute, the name will be
    compared with the values of the 'sameSiteLax', 'sameSiteNone',
    and 'sameSiteStrict' lists. If a match if found, the
    corresponding SameSite attribute is applied. When the SameSite
    attribute is applied by the HTTP Channel, if the value is
    'None', the Secure cookie attribute is also set.  In the
    administrative console, navigate to the following panel to add
    these HTTP Channel properties:
    
    WebSphere application servers > server_name. Under Web
    Container Settings, click Web container transport chains >
    chain_name > HTTP inbound channel > Custom properties
    
    The SameSite attribute value can also be set for the single
    sign-on (SSO) associated with a Lightweight Third Party
    Authentication (LTPA) cookie. The trust association
    interceptors (TAIs) that write cookies and the OAuth provider
    accept the value of this core security property. The TAIs
    include OpenID Connect (OIDC), OpenID, and SAML. This can be
    set in the administrative console as a custom property by
    navigating to:
    
    Security > Global security > Custom properties.
    
    Use the property name of
    'com.ibm.websphere.security.addSameSiteAttributeToCookie' with
    possible values of 'Lax', 'Strict', or 'None'. By default, the
    custom property is disabled and the SameSite attribute is not
    set on the SSO, OAuth, and TAI cookies.
    
    Session cookies can also have the SameSite attribute by
    specifying the 'CookieSameSite' custom property under the
    Session Management panel. This can be seen by navigating to:
    
    Servers > Server Types > WebSphere application servers >
    server_name > Session management
    
    The 'CookieSameSite' property can be set to the values of
    'Lax', 'Strict', 'None', or Disabled (default). When set to
    'None', the Secure attribute is set on the session cookie as
    well.
    
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.18, 9.0.5.4, and Liberty 20.0.0.3. For more information,
    see 'Recommended Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553 . The Git issue
    associated to this feature can be found here:
    https://github.com/OpenLiberty/open-liberty/issues/10086
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH22157

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-02-13

  • Closed date

    2020-06-12

  • Last modified date

    2020-06-12

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
13 June 2020