Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14573

amlbcookie is not secure when authenticating with trees

    XMLWordPrintable

    Details

    • AM Sustaining Sprint 60, AM Sustaining Sprint 61
    • 2
    • Yes
    • No
    • No
    • Yes and I used the same an in the description

      Description

      Bug description

      Authentication Tree ignores 'com.iplanet.am.cookie.secure' and 'com.sun.identity.cookie.httponly' settings for amlbcookie. Authentication Chains/Modules honor the settings 'com.iplanet.am.cookie.secure' and 'com.sun.identity.cookie.httponly' for amlbcookie.

      How to reproduce the issue

      1. Setup Tom Cat with HTTPS:
        https://backstage.forgerock.com/docs/am/6.5/install-guide/#sec-install-self-signed-certificates
      2. Enable Secure Cookies 'com.iplanet.am.cookie.secure=true'
      3. Configure the AM server to use HttpOnly cookies by navigating to Configure > Server Defaults > Advanced, and setting the com.sun.identity.cookie.httponly property's value to true. Save your changes.
      4. Login to a Tree, With this example remove the webhook if you have not configured it. 
        https://openam6.example.com:8445/openam/XUI/?realm=/#login/&service=Example
      5. Check your amlbcookie with a HAR or Cookie manager and it will not be secure / httpOnly but your iplanentdirectory pro will be secure and httpOnly.
      Expected behaviour
      Both IPlanentDirectoryPro and amplbcookie should be secure 
      Current behaviour
      amplbcookie is not secure 
      

        Attachments

          Issue Links

            Activity

              People

              kamal.sivanandam@forgerock.com Kamal Sivanandam
              william.hepler William Hepler
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: