Summary:
In this guide we will see how to pre-fill the username field during second challenge in step up authentication.
Conditions:
- Both low level and high level authentication scheme is using HTML Form Authentication scheme.
- UseHTTPOnlyCookies ACO parameter is set to YES
- Can not use server side technology like ASP/JSP/ASPX etc. Can only use login.fcc for login form.
Environment:
- Web Agent : 12.0 and above
- OS : ANY
Instructions:
1. Let's create two copies of the OOTB login.fcc and rename them as login5.fcc & login10.fcc.
2. Create two HTML FORM authentication scheme one using login5.fcc with Protection Level 5 and other using login10.fcc with Protection Level 10.
3. Protect two resource say /html/ with login5.fcc auth scheme and /html10/ with login10.fcc to simulate step up authentication scenario.
5. Now , the trick is to add following line in the login5.fcc to instruct Web Agent to save the value in the "USER" form field as cookie
@save=USER
(Note : If you need to save multiple form fields, you can specify name of the form field as colon separated list like @save=USER:TARGET )
So, after adding this line the login5.fcc looks like this at top
<!-- SiteMinder Encoding=UTF-8; -->
@username=%USER%
@smretries=0
@save=USER
<html>
6. Next, modify the login10.fcc to pre-fill the USER form field by reading the cookie set earlier like this :
<td ALIGN="LEFT" >
<b><font size=-1 face="arial,helvetica" > Username: </font></b>
</td>
<td ALIGN="LEFT" >
<input type="text" name="USER" size="30" style="margin-left: 1px" value="$$USER$$">
</td>
<td WIDTH=20 > </td>
Now, the most important thing to note here is , this works even when using HTTPOnly cookies as the FCC processing happens on both the server side as well client side. All the variable with the format $$VariableName$$ are replaced on the server side by reading the value from various sources like :
- The headers named in the SMHEADERS variable.
- The directives.
- The cookies.
- The posted form data.
As you can see above the variable replacement happens on the server side,so it doesn't matter even if the HTTPOnly flag is set on cookies.
Attachment:
- Sample login fcc
- Sample fiddler