Access Management 7.3.2

Secure cookie filter

As part of the support that AM provides for SameSite cookies, the deployment descriptor file web.xml includes a filter that flags cookies as secure if any of the following is true:

  • The request comes in through a connection marked as secure.

    For example, because you have marked an HTTP connector as secure in Tomcat.

  • The request comes in through an HTTPS connector.

Automatically promoting cookies to secure ensures that the functionality continues to work with the SameSite changes, because you can only opt out of SameSite if a cookie is marked as secure.

Exclude cookies from the filter

  1. To exclude cookies from the filter, edit the /path/to/tomcat/webapps/openam/WEB-INF/web.xml file and search for the SecureCookieFilter filter.

  2. Add any cookies you want to exclude to the list.

    For example:

    ...
    <param-name>excludes</param-name>
    <param-value>
      myCookie1
      myStickyCookie
      myCookie2
    </param-value>
    ...

    To ensure that non-secure requests are load-balanced correctly, the amlbcookie cookie is already excluded by default. If you are using a custom cookie for sticky load balancing, you may want to add it to the list of excluded cookies.

  3. Restart AM or the container where it runs for the changes to take effect.