The ObSSOCookie Gets Set To 'loggedoutcontinue' When Cancelling Authentication To A Higher Level Authentication Scheme
(Doc ID 437939.1)
Last updated on JANUARY 31, 2019
Applies to:COREid Access - Version 10.1.4 to 10.1.4 [Release 10g]
Information in this document applies to any platform.
Checked for relevance on 12-Apr-2010
All webgates prior to 10.1.4 will leave the obssocookie intact when the webgate evaluates that a timeout condition has occurred or if a step-up authentication is required. The webgate will redirect the user to the appropriate authentication form. In a step-up scenario, if a user does not have the capability to authenticate to the higher level, they can simply go 'back' in the browser to carry on browsing resources at their currently authenticated level.
With the 10.1.4 webgates the obssocookie cookie is set to loggedoutcontinue for both timeout and step-up scenarios. While this is acceptable for an expiry condition, it is unacceptable for a step-up scenario as the user is experience is poor and deemed unacceptable.
Steps to reproduce:
- Request resource at protected at level 10 (password)
- When presented with login form, enter username and password
- Now request resource protected at level 20
- Login form is presented
- User chooses not to authenticate (maybe they don't have), and hits back button in browser
- User will now be asked to log on again (with username/password)
- If page above is cached then they won't be challenged to authenticate now but when they request a non-cached page they will be prompted to authenticate again
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document