1. Developing Applications with Oracle Access Management
  2. Appendices
  3. Creating Deployment-Specific Pages
  4. Guidelines for Deployment-Specific Pages

Guidelines for Deployment-Specific Pages

When implementing deployment-specific pages, observe the following guidelines:

  • Oracle recommends that login and change password pages be protected by SSL.

  • The login and change password pages must code against cross-site scripting attacks.

  • The login and change password pages must have auto-fill and caching set to off. This prevents user credentials from being saved or cached in the browser. Here is an example of the AutoComplete tag: 

    <FORM NAME="foo" AutoComplete="off" METHOD="POST" ACTION="bar">

  • Oracle recommends that you configure your login page to display a banner that warns against unauthorized access. You may, for example, want to use the following text or a variant thereof: 

    Unauthorized use of this site is prohibited and may subject you to civil and criminal prosecution.

  • Deploy the login and change password pages on the computer that hosts the single sign-on server. This makes it easier to detect false versions of these pages.