OAM_REQ and OAM_ID Cookies Secure Flags are not set

(Doc ID 2140715.1)

Last updated on NOVEMBER 21, 2017

Applies to:

Oracle Access Manager - Version and later
Information in this document applies to any platform.


Followed Oracle Docs Yet OAM_REQ And OAM_ID Cookies Secure Flag Is Not Set

Oracle Docs:
Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service 11g Release 1 11.1.1), Part Number E15478-06, 12 Managing Policy Components
About ssoCookie Challenge Parameters for Encrypted Cookies ...

Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management 11g Release 2 (11.1.2) Part Number E27239-03
16 Managing Authentication and Shared Policy Components

Table 16-23 Challenge Parameters for 10g/11g Encrypted Cookies
11g /10g Webgate Challenge Parameter Syntax for Encrypted Cookies Description

ssoCookie = Parameter that controls flags for the SSO cookie OAMAuthnCookie.
miscCookies = Parameter that controls flags for all other Access Manager encrypted cookies.

Secure - Ensures that the encrypted cookie is sent only when the resource is accessed through HTTPS. A secure cookie is required only when a browser is visiting a server using HTTPS.

 Steps to reproduce the issue:
1. Open a new browser session and call the following URL:

2. Login page is displayed...
address bar shows ... https://hostname.domain/oam/server/obrareq.cgi ...

3. Enter username password admin/pwd

4. Requested resource has been displayed.

5. Using chrome developer tool and resources cookies it shows the
OAM_ID, OAM_REQ_0, and OAM_REQ_COUNT cookies as the secure flag not being set

Additional Information:

SSL is terminated at LB.
hostname.domain is VIp ... request Flow.... hostname.domain ---> OHS---> Weblogic server


Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms