Some of the common challenge Parameters used in OAM Authnetication Scheme are -
- ssoCookie - It is a good practice to mark all OAM cookie as Secure and Http-only. This can be done in individual authentication scheme. The exact OAM-11g-R1 syntax is "ssoCookie=Secure;httponly" in Challenge-Parameters field.
- httponly - By marking the cookie as httpOnly, you are ensuring that the cookie can only be used for http protocol. It is not accessible via non-HTTP methods like JavaScript. Hackers can steal cookies via cross-site scripting if this setting is not in place.
- secure - This configuration limit the cookie transmission thru the encrypted(https) channel only. This is an additional security on the top of httponly configuration
- enablePersistentLogin= true - Required for persistent login feature in OAM 11g R2
- overrideRetryLimit=1 - OverrideRetryLimit property that you define in the "Challenge Parameters" section in the authentication scheme associated with the application domain overrides DefaultRetryLimit. The Challenge Parameters had the property: OverrideRetryLimit =1 which led to the behaviour.
- filterOAMAuthnCookie - For 11g WebGate, a user-defined parameter (filterOAMAuthnCookie (default true)) can be used to prevent the OAMAuthnCookie from being passed to downstream applications for security consideration. If you do want to pass the cookie on, then set the filterOAMAuthnCookie parameter to false.
