Today, I read a small note on OAM encrypted cookie and I thought to share it. Everyone is concerned about the security when they are accessing banking or any other secured applications though it is surrounded by Oracle Access Manager.
Most often the problem arises with Cookie Reply attacks and it happens to be in scripting that exists in browsers. How does OAM secure this attack is by using the parameter called ssoCookie:httponly.
By defining this parameter in the authentication scheme, it means that ObSSOCookie is not accessible to client side scripts such as JavaScript. However, the job is made easy for you. It is the default value. So we don’t have to do any extra work.
On the other hand, you can allow to make ObSSOCookie accessible to client side scripts by defining explicitly ssoCookie:disablehttponly in the authentication scheme.
I don’t really see any valid use of it other than you are opening a channel for misusers.
In addition, you can also use the SSL approach which makes the cookie available only in SSL environments and traversing from SSL to non-SSL applications does not Single Sign-On using Oracle Access Manager. To use this approach, you have to use ssoCookie: secure.
Please be careful, this is case-sensitive.
You can go through this document.
Please reply with your thoughts on this topic.
About the Author Mahendra
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc.,
Look @ my blog: http://talkidentity.blogspot.com
