Cannot login anymore after changing cookie domains

This topic contains 7 replies, has 6 voices, and was last updated by  william.hepler 4 months, 2 weeks ago.

  • Author
  • #20883 


    I’ve been testing with OpenAM 5.5 on Ubuntu and here’s what I’m doing.

    – Change my cookie domain in Global Services from to +
    – Logout from the AM console
    – Try to log back in

    This use case doesn’t work for me as I simply get a login page that hangs at “Loading…”. I have tried clearing all of my browser data + cookies, switching browsers, and I’ve also tried using the /manager interface to reload OpenAM, but none of these allow me to log back in. The only thing that has allowed me to log back in is to go to /var/lib/tomcat8 and rm -rf openam, which then allows me to create a new profile for OpenAM, resetting all of my configuration (as expected).

    Can someone please advise me on how I change my cookie domain without breaking everything?

     Peter Major 

    Tomcat 8.5+ versions do not allow preceding ‘.’ character in cookie domains, so make sure you set the cookie domain to Also don’t configure both and domains at the same time, having as the only value should suffice.



    I will give that a try.


    Hi Peter,
    I am facing same issue but in AM6.0 on RHEL (aws instance). we had cookie domain set as ““, we have changed it to “” after which i am not able to login using amadmin. (Tomcat version 9). any pointers on resolving this issue.

    i had to update the domain name back to original using ssoadm for me to proceed with my work.



    There is a KB that covers this as well:

    Cookie domain

    As of OpenAM 13.5, the cookie domain defaults to the full FQDN. Login will not succeed unless the cookie domain is set correctly.

    See FAQ: Cookies in AM/OpenAM (Q. What does the cookie domain default to?) for further information about this change.

    I had recently run into this as well. I’ll see if there is a way to clarify this more.


    To handle the cookie domain issue, we have to change the files in the backend database.


    I am facing the same issue on AM 6.5. Could you please elaborate what backed files were changed? Thanks.


    You should use ssoadm:
    Cookie Domains

    Change the default cookie domain:
    $ ./ssoadm set-attr-defs -s iPlanetAMPlatformService -t Global -u [adminID] -f [passwordfile] -a iplanet-am-platform-cookie-domains=[domain]
    replacing [adminID], [passwordfile] and [domain] with appropriate values.

    Potentially they may have used an LDAP editor and found iplanet-am-platform-cookie-domains and changed this manually in the configuration store. But sssoadm would be cleaner.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?