{"id":2391,"date":"2011-04-11T10:04:18","date_gmt":"2011-04-11T14:04:18","guid":{"rendered":"http:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/"},"modified":"2011-04-11T10:04:18","modified_gmt":"2011-04-11T14:04:18","slug":"how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script","status":"publish","type":"post","link":"https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/","title":{"rendered":"How to prevent users from cookie reply attacks, especially reading cookie contents from Java Script?"},"content":{"rendered":"<p>Today, I read a small note on OAM encrypted cookie and I thought to share it. Everyone is concerned about the security when they are accessing banking or any other secured applications though it is surrounded by Oracle Access Manager.<\/p>\n<p>Most often the problem arises with Cookie Reply attacks and it happens to be in scripting that exists in browsers. How does OAM secure this attack is by using the parameter called <code>ssoCookie:httponly.<\/code><\/p>\n<p>By defining this parameter in the authentication scheme, it means that ObSSOCookie is not accessible to client side scripts such as JavaScript. However, the job is made easy for you. It is the default value. So we don&#8217;t have to do any extra work.<\/p>\n<p>On the other hand, you can allow to make ObSSOCookie accessible to client side scripts by defining explicitly ssoCookie:disablehttponly in the authentication scheme.<\/p>\n<p>I don&#8217;t really see any valid use of it other than you are opening a channel for misusers.<\/p>\n<p>In addition, you can also use the SSL approach which makes the cookie available only in SSL environments and traversing from SSL to non-SSL applications does not Single Sign-On using Oracle Access Manager. To use this approach, you have to use ssoCookie: secure.<\/p>\n<p>Please be careful, this is case-sensitive.<\/p>\n<p>You can go through this <a href=\"http:\/\/download.oracle.com\/docs\/cd\/E15217_01\/doc.1014\/e12496\/oamrn.htm\">document<\/a>.<\/p>\n<p>Please reply with your thoughts on this topic.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, I read a small note on OAM encrypted cookie and I thought to share it. Everyone is concerned about [&hellip;]<\/p>\n","protected":false},"author":115,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[37],"tags":[],"class_list":["post-2391","post","type-post","status-publish","format-standard","hentry","category-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to prevent users from cookie reply attacks, especially reading cookie contents from Java Script? -<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to prevent users from cookie reply attacks, especially reading cookie contents from Java Script? -\" \/>\n<meta property=\"og:description\" content=\"Today, I read a small note on OAM encrypted cookie and I thought to share it. Everyone is concerned about [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/\" \/>\n<meta property=\"article:published_time\" content=\"2011-04-11T14:04:18+00:00\" \/>\n<meta name=\"author\" content=\"Masroof Ahmad\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Masroof Ahmad\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/\",\"url\":\"https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/\",\"name\":\"How to prevent users from cookie reply attacks, especially reading cookie contents from Java Script? -\",\"isPartOf\":{\"@id\":\"https:\/\/onlineappsdba.com\/#website\"},\"datePublished\":\"2011-04-11T14:04:18+00:00\",\"author\":{\"@id\":\"https:\/\/onlineappsdba.com\/#\/schema\/person\/909a876ed58d400faf82caf81d61bfdb\"},\"breadcrumb\":{\"@id\":\"https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/onlineappsdba.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to prevent users from cookie reply attacks, especially reading cookie contents from Java Script?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/onlineappsdba.com\/#website\",\"url\":\"https:\/\/onlineappsdba.com\/\",\"name\":\"\",\"description\":\"Oracle Implementation &amp; Training Experts\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/onlineappsdba.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/onlineappsdba.com\/#\/schema\/person\/909a876ed58d400faf82caf81d61bfdb\",\"name\":\"Masroof Ahmad\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/onlineappsdba.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/10f9db7bdbbd7f9ccfbe9b2d208e5978fc28315e9c704383e639a926ea0fce5f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/10f9db7bdbbd7f9ccfbe9b2d208e5978fc28315e9c704383e639a926ea0fce5f?s=96&d=mm&r=g\",\"caption\":\"Masroof Ahmad\"},\"url\":\"https:\/\/onlineappsdba.com\/index.php\/author\/masroof\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to prevent users from cookie reply attacks, especially reading cookie contents from Java Script? -","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/","og_locale":"en_US","og_type":"article","og_title":"How to prevent users from cookie reply attacks, especially reading cookie contents from Java Script? -","og_description":"Today, I read a small note on OAM encrypted cookie and I thought to share it. Everyone is concerned about [&hellip;]","og_url":"https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/","article_published_time":"2011-04-11T14:04:18+00:00","author":"Masroof Ahmad","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Masroof Ahmad","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/","url":"https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/","name":"How to prevent users from cookie reply attacks, especially reading cookie contents from Java Script? -","isPartOf":{"@id":"https:\/\/onlineappsdba.com\/#website"},"datePublished":"2011-04-11T14:04:18+00:00","author":{"@id":"https:\/\/onlineappsdba.com\/#\/schema\/person\/909a876ed58d400faf82caf81d61bfdb"},"breadcrumb":{"@id":"https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/onlineappsdba.com\/index.php\/2011\/04\/11\/how-to-prevent-users-from-cookie-reply-attacks-especially-reading-cookie-contents-from-java-script\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/onlineappsdba.com\/"},{"@type":"ListItem","position":2,"name":"How to prevent users from cookie reply attacks, especially reading cookie contents from Java Script?"}]},{"@type":"WebSite","@id":"https:\/\/onlineappsdba.com\/#website","url":"https:\/\/onlineappsdba.com\/","name":"","description":"Oracle Implementation &amp; Training Experts","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/onlineappsdba.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/onlineappsdba.com\/#\/schema\/person\/909a876ed58d400faf82caf81d61bfdb","name":"Masroof Ahmad","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/onlineappsdba.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/10f9db7bdbbd7f9ccfbe9b2d208e5978fc28315e9c704383e639a926ea0fce5f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/10f9db7bdbbd7f9ccfbe9b2d208e5978fc28315e9c704383e639a926ea0fce5f?s=96&d=mm&r=g","caption":"Masroof Ahmad"},"url":"https:\/\/onlineappsdba.com\/index.php\/author\/masroof\/"}]}},"_links":{"self":[{"href":"https:\/\/onlineappsdba.com\/index.php\/wp-json\/wp\/v2\/posts\/2391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/onlineappsdba.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/onlineappsdba.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/onlineappsdba.com\/index.php\/wp-json\/wp\/v2\/users\/115"}],"replies":[{"embeddable":true,"href":"https:\/\/onlineappsdba.com\/index.php\/wp-json\/wp\/v2\/comments?post=2391"}],"version-history":[{"count":0,"href":"https:\/\/onlineappsdba.com\/index.php\/wp-json\/wp\/v2\/posts\/2391\/revisions"}],"wp:attachment":[{"href":"https:\/\/onlineappsdba.com\/index.php\/wp-json\/wp\/v2\/media?parent=2391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/onlineappsdba.com\/index.php\/wp-json\/wp\/v2\/categories?post=2391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/onlineappsdba.com\/index.php\/wp-json\/wp\/v2\/tags?post=2391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}