IBM Support

PI58457: Quotes are automatically added to the cookie Path attribute on v ersion 1 cookies

Fixes are available

16.0.0.2: WebSphere Application Server Liberty 16.0.0.2
16.0.0.3: WebSphere Application Server Liberty 16.0.0.3
16.0.0.4: WebSphere Application Server Liberty 16.0.0.4
17.0.0.1: WebSphere Application Server Liberty 17.0.0.1
17.0.0.2: WebSphere Application Server Liberty 17.0.0.2
17.0.0.3: WebSphere Application Server Liberty 17.0.0.3
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When the channel is building a version 1 cookie it will
    automatically add quotes to the Path attribute if there are
    special characters within the Path value
    
    For example
    ---
    Set-Cookie:
    JSESSIONID=0000UA7r9SKaCuW2r4jDamobdSf:1febd9f2-b80a-4031-87
    8a-6
    d6faf9e2fbd; Path=/CookiePathApp; HttpOnly
    TEST=1450345394715;
    Version=1; Path="/CookiePathApp"
    ---
    

Local fix

  • use V0 Cookie
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: When the HTTP Channel is building a     *
    *                      version 1 cookie, it will automatically *
    *                      add quotes to the Path attribute if     *
    *                      there are special characters within the *
    *                      Path value.                             *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    If the version 1 cookie Path attribute contains special
    characters the HTTP Channel code will automatically quote the
    value, unless it's already quoted, when adding the Cookie as a
    header to the message.
    

Problem conclusion

  • An HTTP Channel custom property was introduced to prevent the
    channel from automatically adding the quotes to the cookie's
    Path attribute. The name of the property is:
    
    SkipCookiePathQuotes
    
    It can have a value of true or false, with the default being
    false.
    
    To enable the new behavior add the following configuration
    option in the HTTP endpoint section of the server.xml
    
      <httpOptions SkipCookiePathQuotes="true"/>
    
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 16.0.0.2.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI58457

  • Reported component name

    LIBERTY PROFILE

  • Reported component ID

    5724J0814

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-03-03

  • Closed date

    2016-03-14

  • Last modified date

    2016-06-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LIBERTY PROFILE

  • Fixed component ID

    5724J0814

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
15 October 2021