Fetch userid from custom cookie from HTTP session: Oracle Access Manager

Please refer the post for more details why do we need to fetch the userid attribute value from a Cookie instead of Header Variable.

Most of the integrations that we do with Oracle Access Manager expect user id to be passed to the target application to identify the user authenticated.

The below code can be used to fetch the Cookie which has userid in a jsp page.

String cookieName = “HTTP_REMOTE_UID”;
String userid = null;
Cookie cookies [] = request.getCookies();
if (cookies != null)
{
for (int i = 0; i < cookies.length; i++)
{
if (cookies [i].getName().equals (cookieName))
{
userid=cookies[i].getValue();

}
}
}

User Logged into application <%= userid %>

I have taken jsp in this case, it could also be servlet or asp etc.,

You should be really cautious to justify this solution to the customer because of a security loophole with this approach.

The Cookie that is sent from OAM to user browser is a plain text and not encrypted. Anyone who has good knowledge in tweaking the code could easily intervene and take user information which is highly confidential. In our case, we have just retrieved userid, but it can be other attributes like mobile no., SSN etc.,

Hence, please use this approach with more circumspection.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

7 comments

» Header variables not set in IE browser: Oracle Access Manager Online Apps DBA: One Stop Shop for Apps DBA’s says July 15, 2010

[…] check the post for the code you need to embed in protected application to fetch cookie and security loopholes of […]

Shilu says July 15, 2010

Hi Mahendra,

One scenario I would like to cover here is if a hacker is siting in the same network from where he has access to the target application which is protected by OAM, and if your target app is accepting cookie without any validation i.e which server is sending the cookie. In that case this is a security breach and a hacker can easily get access to the target app with the username he wishes to access.

My ten cents.

Cheers,
Shilu

Mahendra says July 16, 2010

Hi Shilu,

Yes, you may be right in one sense. I have clearly mentioned that there is a loophole by fetching userid from Cookie. Instead you can use Basic Over LDAP Authentication scheme. You may also try with certificate based authentication scheme as well.

Even securing the cookie contents by encryption is not an option here. So you can use Basic Over LDAP in that case.

Again, you have to decide with your Security Architect for handling such vulnerable case.

-Mahendra.

tcraffa says October 12, 2011

Any idea why the cookie would not be passed correctly from an Oracle OHS Server to Weblogic? When I use it in thei mabber, the JSP page on Weblogic does not get the correct value from the cookie unless I refresh the jsp after the redirect.

Mahendra says October 12, 2011

tcraffa,

What is imabber? Is there any specific reason why you are passing cookie instead of header variable?

-Mahendra

tcraffa says October 13, 2011

I am using a cookie because of your earlier post about header variable not being passed in IE when you have multiple redirects. I am using Form-based authentication. The form and the java app are on the same weblogic server, but for some reason the cookie value is null when the java app reads it the first time. Once I refresh the page, the cookie is retrieved correctly. I think it is being set correctly. There is just something odd about how it is retrieved the first time.

jj says June 12, 2013

tcraffa,
As you mentioned – “Once I refresh the page, the cookie is retrieved correctly. I think it is being set correctly.”

we are facing same issue in our setup.Were you able to figure out the issue?

Thanks.

Add Your Reply