Fix (APAR): PH20912 Status: Fix Release: 8.5.5.16,8.5.5.15,8.5.5.14,8.5.5.13,8.5.5.12,8.5.5.11 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows,z/OS Supersedes Fixes: CMVC Defect: xxxxxx Byte size of APAR: 273986 Date: 2020-02-03 Abstract: unable to set samesite cookie option with response.addheader Description/symptom of problem: PH20912 resolves the following problem: ERROR DESCRIPTION: unable to set samesite cookie option with response.addHeader LOCAL FIX: N/A PROBLEM SUMMARY: USERS AFFECTED: All users of WebSphere Application Server PROBLEM DESCRIPTION: Unable to set the SameSite cookie attribute when using the HttpServletResponse.set/addHeader API RECOMMENDATION: None The SameSite cookie attribute is not currently supported by the IBM WebSphere Application Server. This leads the HTTP channel to not recognize the attribute as valid, which might result in the creation of a new Set-Cookie header, with the name of SameSite, when the attribute is set into Set-Cookie headers or existing cookies. PROBLEM CONCLUSION: The HTTP channel code was changed to recognize the SameSite cookie attribute as a valid cookie attribute for cookies set by applications with HttpServletResponse.set/addHeader APIs. Please follow the SameSite RFE to be updated on changes to SameSite handling cookies set directly by the Application Server: https://www.ibm.com/developerworks/rfe/execute? use_case=viewRfe&CR_ID=119022 The fix for this APAR is currently targeted for inclusion in fix packs 8.5.5.18, 9.0.5.4, and Liberty 20.0.0.2. The Git issue for Open Liberty can be found here: https://github.com/OpenLiberty/open-liberty/issues/10384 . Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss? rs=180&uid=swg27004980 Directions to apply fix: Fix applies to Editions: Release 8.5 X Application Server (Express or BASE) X Network Deployment (ND) __ Liberty Core __ Edge Components X Developer Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. Directions to remove fix: The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: