OAM_REQ and OAM_ID Cookies Secure Flags are not set
Last updated on JUNE 18, 2016
Applies to:Oracle Access Manager - Version 22.214.171.124.1 and later
Information in this document applies to any platform.
Followed Oracle Docs Yet OAM_REQ And OAM_ID Cookies Secure Flag Is Not Set
Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service 11g Release 1 11.1.1), Part Number E15478-06, 12 Managing Policy Components
About ssoCookie Challenge Parameters for Encrypted Cookies ...
Table 16-23 Challenge Parameters for 10g/11g Encrypted Cookies
11g /10g Webgate Challenge Parameter Syntax for Encrypted Cookies Description
ssoCookie = Parameter that controls flags for the SSO cookie OAMAuthnCookie.
miscCookies = Parameter that controls flags for all other Access Manager encrypted cookies.
Secure - Ensures that the encrypted cookie is sent only when the resource is accessed through HTTPS. A secure cookie is required only when a browser is visiting a server using HTTPS.
Steps to reproduce the issue:
1. Open a new browser session and call the following URL:
2. Login page is displayed...
address bar shows ... https://hostname.domain/oam/server/obrareq.cgi ...
3. Enter username password admin/pwd
4. Requested resource has been displayed.
5. Using chrome developer tool and resources cookies it shows the
OAM_ID, OAM_REQ_0, and OAM_REQ_COUNT cookies as the secure flag not being set
SSL is terminated at LB.
hostname.domain is VIp ... request Flow.... hostname.domain ---> OHS---> Weblogic server
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms