Always Mark Your OAM Cookie as Secure and HttpOnly

It is a good practice to mark all OAM cookie as Secure and Http-only. This can be done in individual authentication scheme. The exact OAM-11g-R1 syntax is "ssoCookie=Secure;httponly" in Challenge-Parameters field.

httponly :- By marking the cookie as httpOnly, you are ensuring that the cookie can only be used for http protocol. It is not accessible via non-HTTP methods like JavaScript ("document.cookie"). Usually hackers can steal cookies via cross-site scripting.

Secure :- This configuration limit the cookie transmission thru the encrypted(https) channel only. This is an additional security on the top of httponly configuration.

Making your OAM custom Login Form XSS safe

In real life OAM implementation we all use fancy login form , which is called from OAM authentication scheme. These custom login screen often use java scripts. The screen also contain at-least two input parameters 'Login-Name' and 'Password'.  So the screen is perfect play ground for XSS (Cross Site Scripting) attack. Here are few tips to make it XSS safe. For more information about XSS venerability check OWASP (https://www.owasp.org/index.php/XSS) website.

1. Make sure your authentication scheme has a challenge parameter called "ssoCookie=httponly". This will ensure that the java-script cannot read the OAM cookies.

2. The user input validation is must. For example evil user may enter "JohnDoe script alert(document.cookie); script" in the username field to test if the login form is venerable to XSS.

3. Always re-encode user output into safe code html, CSS, JS etc.  For example,  after safe encoding, your javascript should look like "<script> alert(document.cookie); <script>"
The OWASP ESAPI library to do this safe encoding.