Skip to Main Content
Cloud Platform


This is an IBM Automation portal for Cloud Platform products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Status Delivered
Workspace WebSphere Liberty
Created by Guest
Created on Jul 27, 2021

Allow for setting the cookie path for LtpaToken2 cookie (Security reasons)

We would like the `LtpaToken2` cookie path to be equal to the context root of the web module instead of `/`.

For `httpSession` elements, there exists a `useContextRootAsCookiePath` attribute to accomplish this (https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.liberty.autogen.base.doc/ae/rwlp_config_httpSession.html).

However, no such `useContextRootAsCookiePath` exists for `webAppsecurity` elements and it doesn't appear that there is any other way to set the cookie path for `LtpaToken2` to accomplish this. https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.liberty.autogen.base.doc/ae/rwlp_config_webAppSecurity.html

The ability to limit the cookie path is desirable here as leaving the cookie path as `/` means that the cookie will be sent to any app using the same domain name even if the intended application is using a different `context root`.

This request was initially created here https://github.com/OpenLiberty/open-liberty/issues/16235

Idea priority High
  • Guest
    Reply
    |
    Sep 21, 2023

    This idea was delivered in 23.0.0.9. The Open Liberty release blog post describes how to use it here. This is also available in WebSphere Liberty and can be configured in the same way.

  • Guest
    Reply
    |
    Oct 11, 2021

    Hi Alasdair, I did not see anyway to make this private or public as part of submission. Is there any way to change the visibility of it so other folks can upvote it as well? Also, any idea as to when this is planned to be addressed? We need to communicate to our clients who have raised their concerns on this issue. Thanks in advance.

    1 reply
  • Guest
    Reply
    |
    Oct 1, 2021

    When this Aha Idea was created it was created to be only visible to internal users. Looking at the history there has been no change to visibility.

  • Guest
    Reply
    |
    Oct 1, 2021

    Just wondering why this one has been marked private? We had another customer escalation come up regarding this and they are specifically sighting security as the reason for doing so. Does marking it private mean that it will be addressed but its private so that others aren't aware of the security risk? If so, that's fine our team is just wondering when it is planned to be addressed so that we can communicate it to our clients who have raised their concerns on this issue.

2 MERGED

Track individual logins via separate LTPA tokens

Merged
If I have a web application running in WebSphere Liberty Profile I can log in and get an LTPA token via a cookie. This token is valid for a configurable period of time. If I capture the cookie, and log out of the web application I can replay the c...
about 7 years ago in WebSphere Liberty 0 Delivered