Symantec Access Management

Hello Guys,

We have one requirement from one of our application team:

Requirement: Need to display the error messages on login page it self.

We had written JavaScript and captured the error message cookie  and displayed on the login page, this scenario will work when we will not enable usehttponly cookies ,as per security concern we have to enable usehttponlycookies=yes ,then onwards error message will not display on screen due to this.

Also application team don't want to redirect the users to error page for invalid attempts, they want to display error page on login page.

So could you guys provide any alternate solution on this?

Thanks.

Ashok Regula

Hello Ashok,

Can you please provide more details on the cookie that you are trying to use and about your Java Script code. Are you using the SMUSRMSG Cookie ? Are you decoding it using the SDK ?

Normally siteminder will not provide the information to the end user on why his login failed because it can lead to security problems. If a user know that the password is incorrect he can tries multiple times a different password. If he know that the username is invalid, he can try another username. Identity may be stolen.

Checking  a bit further on the HTTP-only flag, you can find more information on the Microsoft website. It has been introduce to Mitigate Cross-site scripting.

Regards,

Julien.

Thanks Julien.

We are not using Sitemindr SDK .

We just wrote a snippet of code on login.fcc to display error message.

we are using below java script to display error message based on the cookie:

function getcookie(cookiename) {

                var cookiestring=""+document.cookie;
                //alert(cookiestring);
                var index1=cookiestring.indexOf(cookiename);
                if (index1==-1 || cookiename=="") return "";
                var index2=cookiestring.indexOf(';',index1);
                if (index2==-1) index2=cookiestring.length;
                return unescape(cookiestring.substring(index1+cookiename.length+1,index2));

        }

                        <script>

                                        var cookiename='SSO_ERROR_MSG';

                                                if(getcookie("SSO_ERROR_MSG")){

                                                        document.write(getcookie("SSO_ERROR_MSG"));

                                                createCookie( "SSO_ERROR_MSG" );

                                        }

                                </script>

We will map response to particular realm with WebAgent-HTTP-Cookie-Variable and SSO_ERROR_MSG=Wrong Credntials.

So whenever user attempts with wrong password/wrong user name he will get Wrong credentials on login page.

You could create multiple login.fcc (login1.fcc, login2.fcc….) files that can contain error messages

Use the directive @smerrorpage to send the user to the next page which will contain different message you want to provide

@username=%USER%

@smretries=1

@smerrorpage=https://mysite.com/siteminderagent/forms/login2.fcc