We have a shindig application protected by OAM 11g using an Apache 10g WebGate. Please refer my previous post on how to protect Apache Shindig application using OAM 11g.

It is very common to pass on user attributes in authorization actions as headers or cookies. However we have a requirement to get the ObSSOCookie that was created by OAM after authentication.

Well, there are cons of reading the OAM cookie and not advicable too – we will take this topic in some other post.

We have written simple java script logic to read the cookies from headers and except OAM cookie all other cookies are fetchable. So I have used the following solution to overcome this:

  1. Login to OAM console.
  2. Goto OAM Agents, click on Form Based authentication scheme. We are using Form login.
  3. Specify the parameter ssoCookie=disablehttponly in Challenge Parameter as shown below.
  4. Apply the changes.

By default the OAM 10g or 11g secures the OAM cookie in authentication scheme – hence the value for parameter is set as ssoCookie=httponly by default. This means OAM does not allow to read the OAM cookie using java script which is ideal in secured environment. In less secure environment, it is set to ssoCookie=disablehttponly.

Then we are able to read the OAM Cookies from the headers using java script.