Managing the Secure Cookie Filter
As part of the support that AM provides for SameSite
cookies, the deployment descriptor file web.xml
includes a filter that flags cookies as secure if any of the following is true:
The request comes in through a connection marked as secure. For example, because you have marked an HTTP connector as secure in Tomcat.
The request comes in through an HTTPS connector.
Automatically promoting cookies to secure ensures that the functionality continues to work with the SameSite
changes, because you can only opt out of SameSite
if a cookie is marked as secure.
To exclude cookies from the filter, edit the
/path/to/tomcat/webapps/openam/WEB-INF/web.xml
file and search for theSecureCookieFilter
filter.Add any cookies you want to exclude to the list. For example:
... <param-name>excludes</param-name> <param-value> myCookie1 myStickyCookie myCookie2 </param-value> ...
Tip
To ensure that non-secure requests are load-balanced correctly, the
amlbcookie
cookie is already excluded by default. If you are using a custom cookie for sticky load balancing, you may want to add it to the list of excluded cookies.Restart AM or the container where it runs for the changes to take effect.