Sun OpenSSO Enterprise 8.0 Integration Guide

Overview of a Typical Oracle Access Manager Session

The Access Server generates a session token with a URL that contains the ObSSOCookie. When the cookie is generated, part of the cookie is used as an encrypted session token. The encrypted session token contains the following:

If the user has not been idle, the cookie is updated at a fixed interval to prevent the session from logout. The update interval is 1/4th of idle the session timeout parameter.

Unencrypted ObSSOCookie data includes the following:

The ObSSOCookie is a secure mechanism for user authentication. When the Access System generates the cookie, an MD-5 hash is taken of the session token. When ObSSOCookie is used to authenticate a user, the MD-5 hash is compared with the original cookie contents to be sure no one has tampered with the cookie. MD-5 is a one-way hash, so it cannot be unencrypted. The Access Server does the comparison by hashing the session token again and comparing the output with the hash of the token already present in the Oracle Access Server cookie. If the two hashes do not match, the cookie is corrupt. The system relies on the fact that if someone tampers with the session token, the hashes will not match.