Secure cookie filter
As part of the support that AM provides for SameSite cookies,
the deployment descriptor file web.xml includes a filter
that flags cookies as secure if any of the following is true:
-
The request comes in through a connection marked as secure.
For example, because you have marked an HTTP connector as secure in Tomcat.
-
The request comes in through an HTTPS connector.
Automatically promoting cookies to secure ensures that the functionality continues to work with the SameSite changes,
because you can only opt out of SameSite if a cookie is marked as secure.
Exclude cookies from the filter
-
To exclude cookies from the filter, edit the
/path/to/tomcat/webapps/openam/WEB-INF/web.xmlfile and search for theSecureCookieFilterfilter. -
Add any cookies you want to exclude to the list.
For example:
... <param-name>excludes</param-name> <param-value> myCookie1 myStickyCookie myCookie2 </param-value> ...To ensure that non-secure requests are load-balanced correctly, the
amlbcookiecookie is already excluded by default. If you are using a custom cookie for sticky load balancing, you may want to add it to the list of excluded cookies. -
Restart AM or the container where it runs for the changes to take effect.