PI73318: Unique Cookie Names in WebSphere Application Server Traditional OIDC RP can accumulate on the browser

Fixes are available

APAR status

Closed as program error.

Error description

When an unauthorized user accesses a resourced protected by the
WASt OIDC RP, a cookie of the form OIDSTATEID_X, where X is a
randomly-generated string unique to the login state.

In certain situations, the browser will not delete the cookie
after the subsequent login, causing an accumulation of cookies
which may render future requests invalid due to the size of the
HTTP request header within which the cookies are sent.

Local fix

```
N/A
```

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server users of   *
*                  OpenID Connect                              *
****************************************************************
* PROBLEM DESCRIPTION: OIDC RP cookies can accumulate in       *
*                      browser and cause problems              *
****************************************************************
* RECOMMENDATION:  Install a fix pack that includes this       *
*                  APAR.                                       *
****************************************************************
The OIDC RP generates a many cookies if the user performs many
logins.  Even though the cookies are deleted at the end of the
process, some browsers don't really remove the cookies until
the browser is stopped and it causes problems for applications.

Problem conclusion

The OpenID Connect Relying Party (RP) in the full profile uses
a unique cookie to store request data for each request to
protected resources.  When the request flow is complete, the
cookie is deleted.  Since some browsers do not fully delete
deleted cookies until the browser is restarted, the cookies
can build up and cause unexpected behavior in the browser.

The OpenID Connect RP in the full profile is updated to reduce
the number of cookies that are used to one per configured
protected resource.

The following OIDC TAI global custom properties are added:

useStateCookies
default=true
By default, the run time uses both local storage and browser
cookies to store request data when a request is redirected to
the OP.  When this property is false, the OIDC TAI will not
use browser cookies; only local storage will be used.

maxCookieSize
default=4093, minimum=500, maximum=4093
Maximum cookie size that the run time will create.  At
runtime, if the data to be written is larger than the value
for this property, the request will be rejected.  This
property applies to, and can be overridden by both
maxStateCookieSize and provider.<id>.postParameterCookieSize.
The value must be between [500] and [4093].

maxStateCookieSize
default=4093, minimum=500, maximum=4093
Maximum state cookie size that the run time will create.  At
runtime, if the data to be written is larger than the value
for this property, the request will be rejected.  This
property will override the value set for maxCookieSize for
state cookies.  The value must be between [500] and [4093].

useUniqueStateCookies
default=false
When this property is set to true, instead of using a single
OIDCSTATE cookie for all requests, each request uses a new
OIDCSTATE cookie.


The fix for this APAR is currently targeted for inclusion in
fix pack 8.0.0.14, 8.5.5.12, and 9.0.0.4.  Please refer to the
Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PI73318
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-12-06
Closed date
2017-03-09
Last modified date
2017-03-10

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R800 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 May 2022

Tips

PI73318: Unique Cookie Names in WebSphere Application Server Traditional OIDC RP can accumulate on the browser

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R800 PSY

Document Information

Share your feedback

Need support?