Secure cookie filter

As part of the support that AM provides for SameSite cookies, the deployment descriptor file web.xml includes a filter that flags cookies as secure if any of the following is true:

The request comes in through a connection marked as secure.

For example, because you have marked an HTTP connector as secure in Tomcat.
The request comes in through an HTTPS connector.

Automatically promoting cookies to secure ensures that the functionality continues to work with the SameSite changes, because you can only opt out of SameSite if a cookie is marked as secure.

Exclude cookies from the filter

To exclude cookies from the filter, edit the /path/to/tomcat/webapps/am/WEB-INF/web.xml file and add a <filter> declaration and a <filter-mapping> element for the SecureCookieFilter.

Add any cookies you want to exclude to the list.

For example:

...
    <filter>
        <filter-name>MySecureCookies</filter-name>
        <filter-class>org.forgerock.openam.headers.SecureCookieFilter</filter-class>
        <init-param>
            <param-name>excludes</param-name>
            <param-value>myCookie1, myStickyCookie, myCookie2</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>MySecureCookies</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
...

To ensure that non-secure requests are load-balanced correctly, the amlbcookie cookie is already excluded by default. If you’re using a custom cookie for sticky load balancing, you might want to add it to the list of excluded cookies.

Restart AM or the container where it runs for the changes to take effect.