In OAM 11g 2 types of cookies are generated. OAM_ID (Server side) OAMAuthnCookie_<host_port> OAMAuthnCookie is encrypted with the specific key for a particular webgate and can not work with any other webgate. User requests the resource --> webgate intercepts the request and sends a request to OAM to check if resource is protected --> if protected credential collector sends a login page to collect the credentials -->if credentials are correct then OAM_ID cookie is generated at the server side --> OAM server generates the OAMAuthCookie_<host_port> and sends it to webgate Contents of the OAMAuthnCookie (ObSSOCookie for 10g webgate) are : Authenticated User DN Authentication Level IP Address SessionID (Reference to Server side session – OAM11g Only) Session start and refresh time Session InActivity Global and Max Validation Hash
The views expressed on this blog are my own and do not necessarily reflect the views of my employer.