66454 - The "Secure" attribute is missing from SAS® session cookies in SAS® 9.4M5 and later after you configure the HTTPS protocol for SAS® Web Server

Problem Note 66454: The "Secure" attribute is missing from SAS® session cookies in SAS® 9.4M5 and later after you configure the HTTPS protocol for SAS® Web Server

The Secure attribute might be missing from SAS session cookies in SAS^® 9.4M5 and later after you configure HTTPS for SAS^® Web Server. This problem can occur in instances where the internal server's IP address for SAS Web Server is nonstandard, often due to the presence of a network device such as BigIP or F5.

By default, SAS 9.4M5 and later include the following <Valve> definition in the web-application server instances:

        <Valve className="org.apache.catalina.valves.RemoteIpValve" httpServerPort="7980" httpsServerPort="8343" internalProxies="(fe80|fd[0-9a-fA-F]{2})(:{1,2}[0-9a-fA-F]{0,4}){0,7}(%[0-9a-zA-Z]+)?$|::1|0:0:0:0:0:0:0:1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3)\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}" protocolHeader="X-Forwarded-Proto"/>

In order for the Secure attribute to be set, the SAS Web Server IP address must be matched by the regular expression that is defined by the internalProxies parameter. In rare instances, there is no match. In such an instance, you must customize the regular expression in order for the web-application server instance to match the incoming IP address. Rather than modifying the existing expressions, the recommended way to customize the expression is to add an additional expression to the end of the string, preceded by the "|" delimiter, which separates the expressions in the string. There are a number of regular-expression matching applications online that can aid in the customization.

Here is an example of customized syntax:

internalProxies="(fe80|fd[0-9a-fA-F]{2})(:{1,2}[0-9a-fA-F]{0,4}){0,7}(%[0-9a-zA-Z]+)?$|::1|0:0:0:0:0:0:0:1|10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3)\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}|custom.regex.here"

You must make the customization for all instances of web-application server SASServerX_Y. Then, you need to restart the services for the change to take effect.

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
Product Family	Product	System	Reported	Fixed*	Reported	Fixed*
SAS System	SAS Web Application Server	Microsoft® Windows® for x64	9.44		9.4 TS1M5
		64-bit Enabled AIX	9.44		9.4 TS1M5
		64-bit Enabled Solaris	9.44		9.4 TS1M5
		HP-UX IPF	9.44		9.4 TS1M5
		Linux for x64	9.44		9.4 TS1M5
		Solaris for x64	9.44		9.4 TS1M5

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

Type:	Problem Note
Priority:	high

Date Modified:	2020-08-11 08:33:16
Date Created:	2020-08-10 14:41:57

Support

Problem Note 66454: The "Secure" attribute is missing from SAS® session cookies in SAS® 9.4M5 and later after you configure the HTTPS protocol for SAS® Web Server

Operating System and Release Information