Securing ObFormLoginCookie in OAM 10g
We usually secure ObSSOCookie to pass this cookie in SSL environment and to avoid non-SSL applications to access. This is a very good feature to improve security in OAM. However if you also want to secure ObFormLoginCookie although you don’t find any sensitive information in this cookie, you can do so. Securing ObFormLoginCookie will allow end users to access applications in both non-SSL and SSL unlike securing ObSSOCookie. Securing ObFormLoginCookie is explained below and this is in 10g OAM version. Perhaps this would work in 11g too, I haven’t tried it albeit.
- Login to OAM Access Console.
- Edit form authentication scheme.
- Specify the Challenge Parameter miscCookies:Secure along with other challenge parameters. Refer the below screenshot.
- Restart the Resource Webgate for quick config refresh.
- Access the application protected by the above Form Auth scheme.
- Observe that when the ObFormLoginCookie is set, you will also see “secure”. For example, refer below:
Set-Cookie: ObFormLoginCookie=wh%3DRESOURCE-WEBGATE-HOST%20wu%3D%2Findex.html%20wo%3D1%20rh%3Dhttps%3A%2F%2FRESOURCE-WEBGATE-HOST%3A8080%20ru%3D%2Findex.html; Secure; path=/dummy.cgi
About the Author Mahendra
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com