ssoCookie Challenge Parameters for Encrypted Cookies – OAM 10 & 11g

Migrating OAM 10 to 11g : ssoCookie Challenge Parameters for Encrypted Cookies

  • 11g Webgate, One per agent: OAMAuthnCookie_<host:port>_<random number> set by Webgate using the authentication token received from the OAM Server after successful authentication

    Note: A valid OAMAuthnCookie is required for a session.

  • 10g Webgate, One ObSSOCookie for all 10g Webgates.

Oracle Access Manager provides the ssoCookie challenge parameter that you can use within any authentication scheme to control how Webgates set the flags of the encrypted cookie. For example:

  • Securing Encrypted Cookie: Ensures that the encrypted cookie is sent only over an SSL connection and prevents the encrypted cookie from being sent back to a non-secure Web server.
  • Persisting Encrypted Cookie: Allows the user to log in for a time period rather than a single session. Persistent cookie functionality works with Internet Explorer and Mozilla browsers.

Syntax between the parameter and values differs slightly depending upon your Webgate releases, as follows:

11g Webgate ssoCookie=

10g Webgate ssoCookie:

Multiple values must be separated by a semicolon (;). For example:

11g Webgate ssoCookie=<value1>;<value2>;...

10g Webgate ssoCookie:<value1>;<value2>>;...

The following example specifies sending the encrypted cookie over only an SSL connection and allows access to the encrypted cookie through client side scripts:

11g Webgate ssoCookie=Secure;disablehttponly

10g Webgate ssoCookie:Secure;disablehttponly


The value of the challenge parameter is case-sensitive. Be sure to enter an uppercase C in ssoCookie, and uppercase S in Secure.

Below table describes specific challenge parameters that control how Webgates set encrypted cookie flags for single sign-on.

Syntax for 11g Webgate and OAMAuthnCookie Syntax for 10g Webgate and ObSSOCookie Description
Parameter that controls flags for encrypted cookies.
Ensures that the encrypted cookie is not accessible to client side scripts such as JavaScript.

Default: Enabled

Explicitly disables httponly functionality, making the encrypted cookie accessible to client side scripts.

Once explicitly disabled, you must use the default value (httponly) to enable it.

Ensures that the encrypted cookie is sent only when the resource is accessed through HTTPS. A secure cookie is required only when a browser is visiting a server using HTTPS..
Creates a persistent cookie in Internet Explorer and Mozilla browsers, rather than one that lasts for a single session.

Specifies the time interval in-seconds when the cookie expires. For example, to set the cookie to expire in 30 days (2592000 seconds):


Leave a Reply

Your email address will not be published. Required fields are marked *