MicroStrategy ONE

Configure SameSite Cookies for Library

Starting in MicroStrategy 2021 Update 7, you can manage SameSite cookies for Library in Workstation. See Chrome v80 Cookie Behavior and the Impact on MicroStrategy Deployments for managing SameSite cookies in MicroStrategy 2021 Update 6 and older.

SameSite prevents the browser from sending cookies along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. It also provides protection against cross-site request forgery attacks. Possible values are as follows:

  • Lax Provides a reasonable balance between security and usability for websites that want to maintain a user’s logged-in session after they arrive from an external link. The default option for SameSite is Lax, including when no option is selected.

  • Strict Prevents the cookie from being sent by the browser to the target site in all cross-site browsing contexts, even when following a regular link.

  • None Allows cookies in all cross-site browsing contexts.

An HTTPS connection is a prerequisite for the None selection. If the SameSite cookie attribute is set to None, the associated cookie must be marked as Secure.

A SameSite attribute of None is recommended in the following scenarios:

  • There are cross-domain compatibility issues.

  • MicroStrategy Web and MicroStrategy Library are deployed in a domain other than the one displayed in the user's address bar.

  • You are using Security Assertion Markup Language (SAML), OpenID Connect (OIDC,) and third party authentication.

The cookie flag changes vary depending on your server:

Due to application server limitations, settings in the user interface only apply to the JSESSIONID cookie on Tomcat application servers.

Tomcat Web Servers

  1. In Workstation, Connect to the Library environment with an admin user.

  2. Right-click the environment and choose Properties.

  3. In the left pane, click Library and scroll down to the Cookies section.

  4. Based on your requirements, select the appropriate SameSite attribute and click OK. The SameSite attribute is unselected by default.

  5. Restart the Library server.

Learn more about the other settings on this dialog in View and Edit Library Administration Settings

WebLogic Web Servers

  1. In Workstation, Connect to the Library environment with an admin user.

  2. Right-click the environment and choose Properties.

  3. In the left pane, click Library and scroll down to the Cookies section.

  4. Based on your requirements, select the appropriate SameSite attribute and click OK. The SameSite attribute is unselected by default.

  5. In your MicroStrategy deployment, navigate to MicroStrategyLibrary\WEB-INF\weblogic.xml.

  6. Edit weblogic.xml and add the following code:

    Copy 
    <wls:session-descriptor>
    <wls:cookie-path>/;SameSite=NONE</wls:cookie-path>
    </wls:session-descriptor>

  7. Click Save and restart the Web server.

JBoss Web Servers

Setting Samesite as None for the JSessionID cookie is only supported by JBoss 7.3.3 and newer. The following procedure was tested using JBoss 7.3.7.

  1. In Workstation, Connect to the Library environment with an admin user.

  2. Right-click the environment and choose Properties.

  3. In the left pane, click Library and scroll down to the Cookies section.

  4. Based on your requirements, select the appropriate SameSite attribute and click OK. The SameSite attribute is unselected by default.

  5. In JBoss, navigate to jboss/standalone/configuration/standalone.xml.

  6. Edit standalone.xml and add <session-cookie http-only="true" secure="true"/> to the existing code as shown below.

    Copy 
    <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
                <buffer-cache name="default"/>
                <server name="default-server">
                    <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                    <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
                    <host name="default-host" alias="localhost">
                        <location name="/" handler="welcome-content"/>
                        <http-invoker security-realm="ApplicationRealm"/>
                    </host>
                </server>
                <servlet-container name="default">
                    <jsp-config/>
                    <session-cookie http-only="true" secure="true"/>
                    <websockets/>
                </servlet-container>
                <handlers>
                    <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
                </handlers>
            </subsystem>

  7. Create a new file named undertow-handlers.conf using the code shown below and save it to the WEB-INF folder of the MicroStrategy Library deployment.

    Copy 
    samesite-cookie(mode=NONE)

  8. Restart the Web server.