IBM Support

PI25144: ENHANCE HTTPONLY TO SUPPORT WILD CARD IN COOKIE NAME

Fixes are available

8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • This is an enhancement allowing HTTPOnly to support wild card in
    the cookie name
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of IBM WebSphere Application Server   *
    *                  Full Profile versions 7.0, 8.0, and 8.5.5   *
    ****************************************************************
    * PROBLEM DESCRIPTION: Enhance the WebContainer custom         *
    *                      property                                *
    *                      com.ibm.ws.webcontainer.HTTPOnlyCookies *
    *                      to support the wild card character in   *
    *                      the cookie name.                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    A cookie name can be configured to have the HTTPOnly
    attribute.  It is configured using the WebContainer custom
    property
    com.ibm.ws.webcontainer.HTTPOnlyCookies
    This property accepts the following values:
    * - An asterisk value means that all cookies are given the
    HTTPOnly attribute.
    A comma delimited list of the specific cookies that are
    given the HTTPOnly attribute. The HTTPOnly attribute is only
    given to cookies that are on this list.
    It does not accept the wild card character as part of the
    cookie
    

Problem conclusion

  • The WebContainer code was modified to enhance the WebContainer
    custom property to allow the wild card character to be used as
    part of the cookies.  The following examples illustrate how
    the custom property can be used:
    
    com.ibm.ws.webcontainer.HTTPOnlyCookies=*
    com.ibm.ws.webcontainer.HTTPOnlyCookies=cookieName1,Account3Cook
    ie,JsessionID
    
    com.ibm.ws.webcontainer.HTTPOnlyCookies= postFixCookieName*,
    middleCookie*Name, *_preFixCookieName
    
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.37, 8.0.0.10, and 8.5.5.5. Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI25144

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-09-05

  • Closed date

    2014-12-02

  • Last modified date

    2014-12-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PI25144

Modified date: 02 December 2014