---
title: Secure cookie filter
description: As part of the support that AM provides for SameSite cookies, the deployment descriptor file web.xml includes a filter that flags cookies as secure if any of the following is true:
component: pingam
version: 8.1
page_id: pingam:security:secure-cookie-filter
canonical_url: https://docs.pingidentity.com/pingam/8.1/security/secure-cookie-filter.html
keywords: ["Security", "Setup & Configuration", "Deployment"]
page_aliases: ["security-guide:secure-cookie-filter.adoc"]
section_ids:
  exclude-cookies-from-secure-filter: Exclude cookies from the filter
---

# Secure cookie filter

As part of the support that AM provides for `SameSite` cookies, the deployment descriptor file `web.xml` includes a filter that flags cookies as secure if any of the following is true:

* The request comes in through a connection marked as secure.

  For example, because you have marked an HTTP connector as secure in Tomcat.

* The request comes in through an HTTPS connector.

Automatically promoting cookies to secure ensures that the functionality continues to work with the `SameSite` changes, because you can only opt out of `SameSite` if a cookie is marked as secure.

## Exclude cookies from the filter

1. To exclude cookies from the filter, edit the `/path/to/tomcat/webapps/am/WEB-INF/web.xml` file and add a `<filter>` declaration and a `<filter-mapping>` element for the `SecureCookieFilter`.

2. Add any cookies you want to exclude to the list.

   For example:

   ```xml
   ...
       <filter>
           <filter-name>MySecureCookies</filter-name>
           <filter-class>org.forgerock.openam.headers.SecureCookieFilter</filter-class>
           <init-param>
               <param-name>excludes</param-name>
               <param-value>myCookie1, myStickyCookie, myCookie2</param-value>
           </init-param>
       </filter>
       <filter-mapping>
           <filter-name>MySecureCookies</filter-name>
           <url-pattern>/*</url-pattern>
       </filter-mapping>
   ...
   ```

   |   |                                                                                                                                                                                                                                              |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | To ensure that non-secure requests are load-balanced correctly, the `amlbcookie` cookie is already excluded by default. If you're using a custom cookie for sticky load balancing, you might want to add it to the list of excluded cookies. |

3. Restart AM or the container where it runs for the changes to take effect.