IBM Support

PI84359: OIDC WASREQURLOIDCP COOKIE CONSTANTLY GROW WHEN LTPA TOKEN EXPIRED

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Liberty application UI has frequntly running requests, when
    LTPA token expires, OIDC client send multple redirect
    requests
    to server in a very short time. After authentication, only
    the
    WASReqURLOidcp cookie include in the last redirect request
    is
    removed, the other WASReqURLOidcp cookies are kept, which
    cause
    the WASReqURLOidcp cookies keep growing.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty OpenId Connect Client        *
    ****************************************************************
    * PROBLEM DESCRIPTION: When an application secured by          *
    *                      OpenIdConnect is rapidly and repeatedly *
    *                      accessed without completing             *
    *                      authentication, cookies can accumulate  *
    *                      in the browser.                         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Some browser applications make multiple requests to a secured
    application without waiting for authentication to complete.
    This can lead to an accumulation of cookies in the browser.  At
    some point, when the size of the cookies HTTP header gets too
    large, a web server might reject the HTTP request for that
    reason.  Clearing the accumulated cookies has to be done
    manually or by closing the browser.
    

Problem conclusion

  • Well behaved applications should not repeatedly access secured
    content until after user authentication completes, but some
    users may have existing applications that do this and cannot be
    readily updated. In that case a new configuration attribute has
    been added to the OpenId Connect Client to limit the lifetime of
    the cookies.
    The authenticationTimeLimit attribute can be specified in
    milliseconds to specify the cookie expiration time and limit
    cookie accumulation.  The default value is 7 minutes.
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 17.0.0.3.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

  • Modify the application so some content can be accessed without
    triggering authentication, such as icons, images, or other
    static content that does not need to be secured.
    Modify the application so content is not accessed until after
    authentication completes.
    As an alternative, some web servers can be configured to
    increase the maximum allowed size of HTTP request headers.
    

Comments

APAR Information

  • APAR number

    PI84359

  • Reported component name

    WAS LIBERTY COR

  • Reported component ID

    5725L2900

  • Reported release

    CD0

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-07-11

  • Closed date

    2017-09-25

  • Last modified date

    2017-09-25

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WAS LIBERTY COR

  • Fixed component ID

    5725L2900

Applicable component levels

  • RCD0 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"CD0","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
17 June 2020