IBM Security Verify

Never paid attention to this behavior before.

Usually, we try enabling wherever possible "-j" on junctions and the side-benefit is that returned cookie name is renamed and made unique to the junction thus preventing cookie name clashes between different back-ends (junctions).

In some other situation, it is simply not possible as the back-end application (front-end) does not support cookie name change (nor do they support addition of JavaScript snipet in the returned payload).

Being doing a bit a research I came across this documentation link https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/wrp_config/concept/con_cookie_handl_path_attr.html where I'm insisting on this part: "standard WebSEAL filtering of visible server-relative URLs normally adds the junction name to the value of the path attribute of a server cookie (for example, path=/jct/xyz), in addition to modifying the URL itself".  The fact is I never have seen a cookie returned by WebSEAL having the path set to the name of the junction. If that was working, it would resolve cookie name clashing issue between different back-ends (junctions) for which the "-j" option cannot be enabled.

For instance, this is the cookie as returned from AAC Liberty Runtime demo application (across a junction):

{"JSESSIONID":{"httpOnly":true,"path":"/","secure":true,"value":"0000...-e2da-40e2-945e-63e51a3bc1dd"}}

With the following JCT setup:

  - { set_junction_junction_point: "/cookie-nojs", set_junction_junction_type: "ssl", set_junction_server_hostname: "{{ isam_runtime_address }}", set_junction_server_port: 443, set_junction_scripting_support: "no" }

Is there a reason I am not seeing this cookie path being renamed by WebSEAL ? Or other configuration setting that may conflict with the described  behavior ? Or I have simply misunderstood the shared documentation snippet.

Thanks

Never paid attention to this behavior before.

Usually, we try enabling wherever possible "-j" on junctions and the side-benefit is that returned cookie name is renamed and made unique to the junction thus preventing cookie name clashes between different back-ends (junctions).

In some other situation, it is simply not possible as the back-end application (front-end) does not support cookie name change (nor do they support addition of JavaScript snipet in the returned payload).

Being doing a bit a research I came across this documentation link https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/wrp_config/concept/con_cookie_handl_path_attr.html where I'm insisting on this part: "standard WebSEAL filtering of visible server-relative URLs normally adds the junction name to the value of the path attribute of a server cookie (for example, path=/jct/xyz), in addition to modifying the URL itself".  The fact is I never have seen a cookie returned by WebSEAL having the path set to the name of the junction. If that was working, it would resolve cookie name clashing issue between different back-ends (junctions) for which the "-j" option cannot be enabled.

For instance, this is the cookie as returned from AAC Liberty Runtime demo application (across a junction):

{"JSESSIONID":{"httpOnly":true,"path":"/","secure":true,"value":"0000...-e2da-40e2-945e-63e51a3bc1dd"}}

With the following JCT setup:

  - { set_junction_junction_point: "/cookie-nojs", set_junction_junction_type: "ssl", set_junction_server_hostname: "{{ isam_runtime_address }}", set_junction_server_port: 443, set_junction_scripting_support: "no" }

Is there a reason I am not seeing this cookie path being renamed by WebSEAL ? Or other configuration setting that may conflict with the described  behavior ? Or I have simply misunderstood the shared documentation snippet.

Thanks

Never paid attention to this behavior before.

Usually, we try enabling wherever possible "-j" on junctions and the side-benefit is that returned cookie name is renamed and made unique to the junction thus preventing cookie name clashes between different back-ends (junctions).

In some other situation, it is simply not possible as the back-end application (front-end) does not support cookie name change (nor do they support addition of JavaScript snipet in the returned payload).

Being doing a bit a research I came across this documentation link https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/wrp_config/concept/con_cookie_handl_path_attr.html where I'm insisting on this part: "standard WebSEAL filtering of visible server-relative URLs normally adds the junction name to the value of the path attribute of a server cookie (for example, path=/jct/xyz), in addition to modifying the URL itself".  The fact is I never have seen a cookie returned by WebSEAL having the path set to the name of the junction. If that was working, it would resolve cookie name clashing issue between different back-ends (junctions) for which the "-j" option cannot be enabled.

For instance, this is the cookie as returned from AAC Liberty Runtime demo application (across a junction):

{"JSESSIONID":{"httpOnly":true,"path":"/","secure":true,"value":"0000...-e2da-40e2-945e-63e51a3bc1dd"}}

With the following JCT setup:

  - { set_junction_junction_point: "/cookie-nojs", set_junction_junction_type: "ssl", set_junction_server_hostname: "{{ isam_runtime_address }}", set_junction_server_port: 443, set_junction_scripting_support: "no" }

Is there a reason I am not seeing this cookie path being renamed by WebSEAL ? Or other configuration setting that may conflict with the described  behavior ? Or I have simply misunderstood the shared documentation snippet.

Thanks

Never paid attention to this behavior before.

Usually, we try enabling wherever possible "-j" on junctions and the side-benefit is that returned cookie name is renamed and made unique to the junction thus preventing cookie name clashes between different back-ends (junctions).

In some other situation, it is simply not possible as the back-end application (front-end) does not support cookie name change (nor do they support addition of JavaScript snipet in the returned payload).

Being doing a bit a research I came across this documentation link https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/wrp_config/concept/con_cookie_handl_path_attr.html where I'm insisting on this part: "standard WebSEAL filtering of visible server-relative URLs normally adds the junction name to the value of the path attribute of a server cookie (for example, path=/jct/xyz), in addition to modifying the URL itself".  The fact is I never have seen a cookie returned by WebSEAL having the path set to the name of the junction. If that was working, it would resolve cookie name clashing issue between different back-ends (junctions) for which the "-j" option cannot be enabled.

For instance, this is the cookie as returned from AAC Liberty Runtime demo application (across a junction):

{"JSESSIONID":{"httpOnly":true,"path":"/","secure":true,"value":"0000...-e2da-40e2-945e-63e51a3bc1dd"}}

With the following JCT setup:

  - { set_junction_junction_point: "/cookie-nojs", set_junction_junction_type: "ssl", set_junction_server_hostname: "{{ isam_runtime_address }}", set_junction_server_port: 443, set_junction_scripting_support: "no" }

Is there a reason I am not seeing this cookie path being renamed by WebSEAL ? Or other configuration setting that may conflict with the described  behavior ? Or I have simply misunderstood the shared documentation snippet.

Thanks