The intention for this Improvement is to allow for a case where a non-OpenAM cookie is being used with the same name, and must not be overwritten by OpenAM or the agent, and redirection needs to occur to an external application.
Create a toggleable option and another attribute to contain the external application redirect URL.
When a request comes in, check the user session token is of a valid format before going to OpenAM. If it is invalid and this toggleable option is enabled, then redirect to the url without touching the cookie.
It should be made clear in the documentation that this behaviour could lead to redirect loops and therefore the redirected application should not be OpenAM and it is that application's responsibility to not redirect back to the agent without changing the cookie.
Test using a large base64 encoded string and also a truncated cookie. If enabled then redirection should occur and the session cookie should still be present.
If disabled behaviour as described in
AMAGENTS-68 should occur.
In both cases: An audit error message should be logged that an invalid token has been detected.
In the case of being enabled another audit message that we are redirecting to an external application should be logged.
This is important as a messed around cookie could potentially be a sign that a hacker is altering cookies