IBM Support

PH67970: WASSAMLREQ COOKIES BUILDING UP IN THE HTTP REQUEST AND LEADING TO 400 BAD REQUEST ERROR

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When Liberty SAML SSO code is setting expiry value for
WASSamlReq cookies, it retrieves the timestamp from local OS,
which could cause non US-ASCII characters in the cookie
"expires" field. When the browser receives the cookie, it
fails to recognize the expiration and labels it as a
session cookie.  This leads to the cookie not being deleted
until the browser is closed.

After multiple requests, the WASSamlReq cookies build up in the
HTTP header. This can result in a 400 Request Header Or Cookie
Too Large error.

Local fix

  • Change the OS to English locale, or set -Duser.language=en
-Duser.country=US in jvm arguments

Problem summary

  • ****************************************************************
* USERS AFFECTED:  All users of WebSphere Liberty and SAML     *
*                  SSO                                         *
****************************************************************
* PROBLEM DESCRIPTION: SAML SSO: 400 Request Header Or         *
*                      Cookie Too Large error                  *
****************************************************************
* RECOMMENDATION:  Install a fix pack that contains this       *
*                  APAR.                                       *
****************************************************************
When using SAML SSO on liberty, a user might encounter a 400
Request Header Or Cookie Too Large error.

Problem conclusion

  • Liberty SAML SSO is updated to use "max-age" attribute for the
cookie in the request to the IdP instead of "expires".

The fix for this APAR is targeted for inclusion in fix pack
25.0.0.10. For more information, see 'Recommended Updates for
WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH67970
    • 

  • Reported component name
    LIBERTY PROFILE
    • 

  • Reported component ID
    5724J0814
    • 

  • Reported release
    CD0
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2025-09-02
    • 

  • Closed date
    2025-10-06
    • 

  • Last modified date
    2025-10-06
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    LIBERTY PROFILE
    • 

  • Fixed component ID
    5724J0814
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"CD0","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 October 2025
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback