We usually secure ObSSOCookie to pass this cookie in SSL environment and to avoid non-SSL applications to access. This is a very good feature to improve security in OAM. However if you also want to secure ObFormLoginCookie although you don’t find any sensitive information in this cookie, you can do so. Securing ObFormLoginCookie will allow end users to access applications in both non-SSL and SSL unlike securing ObSSOCookie. Securing ObFormLoginCookie is explained below and this is in 10g OAM version. Perhaps this would work in 11g too, I haven’t tried it albeit.
- Login to OAM Access Console.
- Edit form authentication scheme.
- Specify the Challenge Parameter miscCookies:Secure along with other challenge parameters. Refer the below screenshot.
![]()
- Restart the Resource Webgate for quick config refresh.
- Access the application protected by the above Form Auth scheme.
- Observe that when the ObFormLoginCookie is set, you will also see “secure”. For example, refer below:
Set-Cookie: ObFormLoginCookie=wh%3DRESOURCE-WEBGATE-HOST%20wu%3D%2Findex.html%20wo%3D1%20rh%3Dhttps%3A%2F%2FRESOURCE-WEBGATE-HOST%3A8080%20ru%3D%2Findex.html; Secure; path=/dummy.cgi