Secure cookie filter
As part of the support that AM provides for
the deployment descriptor file
web.xml includes a filter
that flags cookies as secure if any of the following is true:
The request comes in through a connection marked as secure.
For example, because you have marked an HTTP connector as secure in Tomcat.
The request comes in through an HTTPS connector.
Automatically promoting cookies to secure ensures that the functionality continues to work with the
because you can only opt out of
SameSite if a cookie is marked as secure.
To exclude cookies from the filter, edit the
/path/to/tomcat/webapps/openam/WEB-INF/web.xmlfile and search for the
Add any cookies you want to exclude to the list.
... <param-name>excludes</param-name> <param-value> myCookie1 myStickyCookie myCookie2 </param-value> ...
To ensure that non-secure requests are load-balanced correctly, the
amlbcookiecookie is already excluded by default. If you are using a custom cookie for sticky load balancing, you may want to add it to the list of excluded cookies.
Restart AM or the container where it runs for the changes to take effect.