Today, I read a small note on OAM encrypted cookie and I thought to share it. Everyone is concerned about the security when they are accessing banking or any other secured applications though it is surrounded by Oracle Access Manager.
Most often the problem arises with Cookie Reply attacks and it happens to be in scripting that exists in browsers. How does OAM secure this attack is by using the parameter called ssoCookie:httponly.
By defining this parameter in the authentication scheme, it means that ObSSOCookie is not accessible to client side scripts such as JavaScript. However, the job is made easy for you. It is the default value. So we don’t have to do any extra work.
On the other hand, you can allow to make ObSSOCookie accessible to client side scripts by defining explicitly ssoCookie:disablehttponly in the authentication scheme.
I don’t really see any valid use of it other than you are opening a channel for misusers.
In addition, you can also use the SSL approach which makes the cookie available only in SSL environments and traversing from SSL to non-SSL applications does not Single Sign-On using Oracle Access Manager. To use this approach, you have to use ssoCookie: secure.
Please be careful, this is case-sensitive.
You can go through this document.
Please reply with your thoughts on this topic.
Comments are closed.