Hi,
For normal login/logout scenario, I see a POST to /oam/server. This is when OAM server session, OAM_ID gets generated, before user is redirected to end resource with new OBSSOcookie getting set.
When a user access a resource that is within the scope of Webgate, when the response comes back from our servers, Webgate adds an additional “set-cookie” header as the response passes through the web servers.
After the POST of AUTH_CRED_SUBMIT to /oam/server, the OAM responds with a 302 re-direct to https://www.vodafone.co.uk/obrar.cgi (which is part of Webgate). This returns a new OBSSOCookie For "AutoLogin", I do not see OAM_ID generated anywhere. I see a new ObSSOCookie getting set when you first call
The Auto login process does not call AUTH_CRED_SUBMIT From /oam/server but uses the custom service .
The ObSSOCookie will be retrieved in the same way from Webgate.
So in summary – we get the token either by calling AUTH_CRED_SUBMI from the browser (manual login) or custom service programmatically (auto login)
From OAM perspective for every login a new row gets added into database and gets deleted when user logs out.
During normal login and logout this new record gets created and deleted fine.
During Autologin (Login post successful Registration) new record gets created but the same record is not getting deleted during logout journey.
We did investigation for the below scenarios:
- Normal login – ObSSOCookie gets created by OAM and
user is navigated to landing page. - Normal user logout – ObSSOCookie created above gets
updated and user is taken to logged out page. - Auto Login – ObSSOCokkie gets generated by Online and
user is navigated to Landing page. - Logout post Autologin - ObSSOCookie is not getting updated but user is navigated to logged out page(But in logged state).
We are using OAM 11G R1 and 10g webgate.
Has someone faced similar issues ?
Thanks,
Rahul.