Configure Session Manager

Add CookieSameSite to session cookies

Teams integrations documentation rewrites all cookies which are routed through IHS and adds SameSite=None;Secure. This is only needed for Session cookies, so it is easier to add the option to WebSphere and let it handle the Samesite option.

You can add a custom property to the application server session manager. The value can be:

• None
• LAX
• Strict
• Disabled <- default

As we need to set it to None, we set CookiesSameSite=None

Additionally I added to the script that all application server have HttpSessionIdReuse set.

WebSphere documentation tells us:

The custom property HttpSessionIdReuse determines whether the session manager can use the session ID sent from a browser to preserve session data across web applications that are running in an environment that is not configured for session persistence. This property must be configured at the web container level.

In a multi-JVM environment that is not configured for session persistence, setting this property to true enables the session manager to use the same session information for all of a user's requests even if the web applications that are handling these requests are governed by different JVMs. The default value for this property is false. Set this property to true if you want to enable the session manager to use the session ID sent from a browser to preserve session data across web applications that are running in an environment that is not configured for session persistence.

The Connections application servers have this custom property set, but the Connections Docs servers do not. So adding this makes session management way more reliable.

Or you can use the script ibmcnx/security/cookiesamesite.py to add this property to each of your application servers.