Hello Sylvain
as you were suspecting there could be other configuration options that prevent what documentation says, for instance also the usage of the jmt can alter this..
here an example still using the mobile demo .. with a junction like the one you created BUT no jmt matching I have
----------------- Browser ===> PD -----------------
GET /demo/mobile-demo/ HTTP/1.1
...
host: ws9070.local.idp:444
...
Cookie: PD-S-SESSION-ID=1_2_1_P8PdPC+arhNfhyORsWeDTaawrDv2mYwhyHyGpEJiQgtCR4Yc
---------------------------------------------------
----------------- PD ===> BackEnd -----------------
GET /mobile-demo/ HTTP/1.1
...
host: 127.0.0.1
..
via: HTTP/1.1 isam9070:444
..
iv_server_name: aac-webseald-isam9070
---------------------------------------------------
----------------- PD <=== BackEnd -----------------
HTTP/1.1 200 OK
....
cache-control: no-cache="set-cookie, set-cookie2"
...
Set-Cookie: JSESSIONID=0000if7JqV2ZvTV3lzHMLu4SwgX:f98ce535-894e-4228-bb7a-da5516c20821; Path=/; Secure; HttpOnly
---------------------------------------------------
----------------- Browser <=== PD -----------------
HTTP/1.1 200 OK
....
expires: Thu, 01 Dec 1994 16:00:00 GMT
....
Set-Cookie: JSESSIONID=0000if7JqV2ZvTV3lzHMLu4SwgX:f98ce535-894e-4228-bb7a-da5516c20821; Path=/demo/; Secure; HttpOnly
---------------------------------------------------
while having a jmt.conf with an entry like
/demo /whatever-you-like/*
will result ( for the same junction as before )
----------------- Browser ===> PD -----------------
...
GET /demo/mobile-demo/ HTTP/1.1
..
Cookie: PD-S-SESSION-ID=1_2_1_ya7J80Uw3X8gccLd4ycrA53sQa-llPkKCLJQf89+jV4KgKJH
---------------------------------------------------
----------------- PD ===> BackEnd -----------------
GET /mobile-demo/ HTTP/1.1
..
via: HTTP/1.1 isam9070:444
..
iv_server_name: aac-webseald-isam9070
---------------------------------------------------
----------------- PD <=== BackEnd -----------------
HTTP/1.1 200 OK
....
Set-Cookie: JSESSIONID=0000czSFlcN_DLzkSxX1u4vUplF:f98ce535-894e-4228-bb7a-da5516c20821; Path=/; Secure; HttpOnly
---------------------------------------------------
----------------- Browser <=== PD -----------------
..
HTTP/1.1 200 OK
....
Set-Cookie: AMWEBJCT!%2Fdemo!JSESSIONID=0000czSFlcN_DLzkSxX1u4vUplF:f98ce535-894e-4228-bb7a-da5516c20821; Path=/; Secure; HttpOnly
---------------------------------------------------
you can see that in this case it has mangled the name of the cookie but unchange the path, however if I also set in the webseal conf to not modify cookie name for JSESSIONID, still use same junction and still use jmt entry I have what you reported
----------------- Browser ===> PD -----------------
GET /demo/mobile-demo/ HTTP/1.1
...
Cookie: PD-S-SESSION-ID=1_2_1_jWhwIPmw+ofA6dZOwCj-ZM8T7ssz9sG4zMWrQUDBQtaaUliE
---------------------------------------------------
----------------- PD ===> BackEnd -----------------
GET /mobile-demo/ HTTP/1.1
host: 127.0.0.1
..
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
via: HTTP/1.1 isam9070:444
...
iv_server_name: aac-webseald-isam9070
---------------------------------------------------
----------------- PD <=== BackEnd -----------------
..
HTTP/1.1 200 OK
...
Set-Cookie: JSESSIONID=0000NWfJwBp-43mpqvDGSrkGsRF:f98ce535-894e-4228-bb7a-da5516c20821; Path=/; Secure; HttpOnly
---------------------------------------------------
----------------- Browser <=== PD -----------------
HTTP/1.1 200 OK
....
Set-Cookie: JSESSIONID=0000NWfJwBp-43mpqvDGSrkGsRF:f98ce535-894e-4228-bb7a-da5516c20821; Path=/; Secure; HttpOnly
---------------------------------------------------
Hope this help
------------------------------
Gianluca Gargaro
IBM
Roma
------------------------------
Original Message:
Sent: Mon January 20, 2020 02:09 PM
From: Sylvain Gilbert
Subject: Path in back-end cookies
Never paid attention to this behavior before.
Usually, we try enabling wherever possible "-j" on junctions and the side-benefit is that returned cookie name is renamed and made unique to the junction thus preventing cookie name clashes between different back-ends (junctions).
In some other situation, it is simply not possible as the back-end application (front-end) does not support cookie name change (nor do they support addition of JavaScript snipet in the returned payload).
Being doing a bit a research I came across this documentation link https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/wrp_config/concept/con_cookie_handl_path_attr.html where I'm insisting on this part: "standard WebSEAL filtering of visible server-relative URLs normally adds the junction name to the value of the path attribute of a server cookie (for example, path=/jct/xyz), in addition to modifying the URL itself". The fact is I never have seen a cookie returned by WebSEAL having the path set to the name of the junction. If that was working, it would resolve cookie name clashing issue between different back-ends (junctions) for which the "-j" option cannot be enabled.
For instance, this is the cookie as returned from AAC Liberty Runtime demo application (across a junction):
{"JSESSIONID":{"httpOnly":true,"path":"/","secure":true,"value":"0000...-e2da-40e2-945e-63e51a3bc1dd"}}
With the following JCT setup:
- { set_junction_junction_point: "/cookie-nojs", set_junction_junction_type: "ssl", set_junction_server_hostname: "{{ isam_runtime_address }}", set_junction_server_port: 443, set_junction_scripting_support: "no" }
Is there a reason I am not seeing this cookie path being renamed by WebSEAL ? Or other configuration setting that may conflict with the described behavior ? Or I have simply misunderstood the shared documentation snippet.
Thanks
------------------------------
Sylvain Gilbert
------------------------------