IBM Support

PH22157: ADD SUPPORT FOR THE SAMESITE COOKIE ATTRIBUTE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server                                      *
****************************************************************
* PROBLEM DESCRIPTION: SameSite Cookie Support in WebSphere    *
*                      Application Server                      *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
WebSphere Application Server does not support adding the
SameSite cookie attribute to cookies added through the
HttpServletResponse.addCookies API. There is also no support
for the SameSite attribute on the Session or Security
(ltpa/jwt) Cookies.

    



Problem conclusion


    

  • The HTTP Channel can now be optionally configured to provide
comma delimited lists of cookie names or patterns for which a
specific SameSite attribute will be attributed to. You can
specify a single wildcard character (*) as a stand-alone
value, or as a character that follows a cookie name prefix.
Any cookie name or pattern in the list must be unique and not
in any of the other SameSite configuration lists. These lists
are set as HTTP Channel custom properties using the names:
'sameSiteLax', 'sameSiteNone', or 'sameSiteStrict'.


If the HTTP Channel processes a cookie or a Set-Cookie header
that does not contain a SameSite attribute, the name will be
compared with the values of the 'sameSiteLax', 'sameSiteNone',
and 'sameSiteStrict' lists. If a match if found, the
corresponding SameSite attribute is applied. When the SameSite
attribute is applied by the HTTP Channel, if the value is
'None', the Secure cookie attribute is also set.  In the
administrative console, navigate to the following panel to add
these HTTP Channel properties:

WebSphere application servers > server_name. Under Web
Container Settings, click Web container transport chains >
chain_name > HTTP inbound channel > Custom properties

The SameSite attribute value can also be set for the single
sign-on (SSO) associated with a Lightweight Third Party
Authentication (LTPA) cookie. The trust association
interceptors (TAIs) that write cookies and the OAuth provider
accept the value of this core security property. The TAIs
include OpenID Connect (OIDC), OpenID, and SAML. This can be
set in the administrative console as a custom property by
navigating to:

Security > Global security > Custom properties.

Use the property name of
'com.ibm.websphere.security.addSameSiteAttributeToCookie' with
possible values of 'Lax', 'Strict', or 'None'. By default, the
custom property is disabled and the SameSite attribute is not
set on the SSO, OAuth, and TAI cookies.

Session cookies can also have the SameSite attribute by
specifying the 'CookieSameSite' custom property under the
Session Management panel. This can be seen by navigating to:

Servers > Server Types > WebSphere application servers >
server_name > Session management

The 'CookieSameSite' property can be set to the values of
'Lax', 'Strict', 'None', or Disabled (default). When set to
'None', the Secure attribute is set on the session cookie as
well.


The fix for this APAR is targeted for inclusion in fix packs
8.5.5.18, 9.0.5.4, and Liberty 20.0.0.3. For more information,
see 'Recommended Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553 . The Git issue
associated to this feature can be found here:
https://github.com/OpenLiberty/open-liberty/issues/10086

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH22157
    • 

  • Reported component name
    WEBSPHERE APP S
    • 

  • Reported component ID
    5724J0800
    • 

  • Reported release
    900
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-02-13
    • 

  • Closed date
    2020-06-12
    • 

  • Last modified date
    2024-03-25
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBSPHERE APP S
    • 

  • Fixed component ID
    5724J0800
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            25 March 2024
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback