How to prevent users from cookie reply attacks, especially reading cookie contents from Java Script?

Today, I read a small note on OAM encrypted cookie and I thought to share it. Everyone is concerned about the security when they are accessing banking or any other secured applications though it is surrounded by Oracle Access Manager.

Most often the problem arises with Cookie Reply attacks and it happens to be in scripting that exists in browsers. How does OAM secure this attack is by using the parameter called ssoCookie:httponly.

By defining this parameter in the authentication scheme, it means that ObSSOCookie is not accessible to client side scripts such as JavaScript. However, the job is made easy for you. It is the default value. So we don’t have to do any extra work.

On the other hand, you can allow to make ObSSOCookie accessible to client side scripts by defining explicitly ssoCookie:disablehttponly in the authentication scheme.

I don’t really see any valid use of it other than you are opening a channel for misusers.

In addition, you can also use the SSL approach which makes the cookie available only in SSL environments and traversing from SSL to non-SSL applications does not Single Sign-On using Oracle Access Manager. To use this approach, you have to use ssoCookie: secure.

Please be careful, this is case-sensitive.

You can go through this document.

Please reply with your thoughts on this topic.

Share This Post with Your Friends over Social Media!

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog:

Leave a Comment:

chaitranath says April 11, 2011

Hi Mahendra,
Nice article.
Now,can you explain me how can we delete this cookie which is created by httponly using Java script while logout.

Mahendra says April 11, 2011


Theoritically, when you redirect to a page containing Logout either as gif or jsp or html, OAM treats that a Logout operation and will logout of the application. However, I don’t see this working until now. So you have to redirect to a custom Logout page (html or java or any web page) which deletes OAM cookies etc., from the browser session, infact invalidating session.

Hope this helps.


Antony says September 5, 2013


How to change ssoCookie:httponly to ssoCookie:secure?
When we do SSL will the ssoCookie change to secure automatically.


Mahendra says September 5, 2013


Yes, cookie will be sent over SSL if http connection is SSL.


Add Your Reply

{"wp_error":"stream_socket_client(): SSL: Handshake timed out\nstream_socket_client(): Failed to enable crypto\nstream_socket_client(): unable to connect to ssl:\/\/ (Unknown error)"}