My Oracle Support Banner

Oracle Access Manager 11g R2PS2 (OAM 11.1.2.2) OAM_REQ and OAM_ID Cookies Secure Flags Are Not Set (Doc ID 2140715.1)

Last updated on FEBRUARY 03, 2022

Applies to:

Oracle Access Manager - Version 11.1.2.1.1 and later
Information in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note.

Symptoms

FollowedOracle Access Manager 11g R2PS2 (OAM 11.1.2.2) Docs Yet OAM_REQ And OAM_ID Cookies Secure Flag Is Not Set

Oracle Docs:
====================
Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service 11g Release 1 11.1.1), Part Number E15478-06, 12 Managing Policy Components
About ssoCookie Challenge Parameters for Encrypted Cookies ...
ssoCookie=Secure


Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management 11g Release 2 (11.1.2) Part Number E27239-03
16 Managing Authentication and Shared Policy Components

Table 16-23 Challenge Parameters for 10g/11g Encrypted Cookies
11g /10g Webgate Challenge Parameter Syntax for Encrypted Cookies Description

ssoCookie = Parameter that controls flags for the SSO cookie OAMAuthnCookie.
miscCookies = Parameter that controls flags for all other Access Manager encrypted cookies.

Secure - Ensures that the encrypted cookie is sent only when the resource is accessed through HTTPS. A secure cookie is required only when a browser is visiting a server using HTTPS.
ssoCookie=Secure
miscCookies=Secure

 Steps to reproduce the issue:
==============================
1. Open a new browser session and call the following URL:
https://<OAM_HOSTNAME>:<OAM_PORT>/<PROTECTED_URL>

2. Login page is displayed...
address bar shows ... https://<OAM_HOSTNAME>/oam/server/obrareq.cgi ...

3. Enter username password <USER_ID>/<PASSWORD>

4. Requested resource has been displayed.

5. Using chrome developer tool and resources cookies it shows the
OAM_ID, OAM_REQ_0, and OAM_REQ_COUNT cookies as the secure flag not being set

Additional Information:

SSL is terminated at LB.
hostname.domain is VIP ... request Flow.... <OAM_HOSTNAME> ---> OHS---> WebLogic server

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Cause
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.