Guidelines for Deployment-Specific Pages
When implementing deployment-specific pages, observe the following guidelines:
-
Oracle recommends that login and change password pages be protected by SSL.
-
The login and change password pages must code against cross-site scripting attacks.
-
The login and change password pages must have auto-fill and caching set to
off
. This prevents user credentials from being saved or cached in the browser. Here is an example of theAutoComplete
tag:<FORM NAME="foo" AutoComplete="off" METHOD="POST" ACTION="bar">
-
Oracle recommends that you configure your login page to display a banner that warns against unauthorized access. You may, for example, want to use the following text or a variant thereof:
Unauthorized use of this site is prohibited and may subject you to civil and criminal prosecution.
-
Deploy the login and change password pages on the computer that hosts the single sign-on server. This makes it easier to detect false versions of these pages.