IBM Support

PH30368: OIDC RP MAY NOT DELETE SESSION COOKIE WHEN SAMESITE COOKIE POLICY=LAX

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • If an the OpenID Connect (OIDC) Relying Party's
    (RP) configured OpendID Provider (OP) requires that the
    application use an end-session endpoint, there may be a
    problem deleting the OIDC session cookie at logout when
    SameSite=Lax.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server and OpenID Connect                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OIDC RP may not delete its session  *
    *                      cookie upon logout when the SameSite    *
    *                      cookie policy is Lax.                   *
    ****************************************************************
    * RECOMMENDATION:  Do one of the following: 1) Set the         *
    *                  SameSite                                    *
    *                  cookie policy to none.  2) Install an       *
    *                  interim                                     *
    *                  fix or fix pack that contains this APAR.    *
    ****************************************************************
    If an RP's configured OP requires that the application use an
    end-session endpoint instead of having the RP revoke tokens
    itself, the RP may not be able to delete its session
    cookie when the SameSite cookie policy is Lax.
    

Problem conclusion

  • If the OP is considered a 3rd party by the browser, when SameSit
    is set to Lax, the OIDC session cookie may not be available when
    the logout request is received from the OP and therefore the OID
    RP cannot find the cookie, then delete it.
    
    The OIDC RP is updated so that it will delete the session cookie
    upon logout for logout requests that can be matched by the TAI
    filter.
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.19 and 9.0.5.7. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH30368

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-10-08

  • Closed date

    2020-10-16

  • Last modified date

    2020-10-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
19 October 2020