Cannot login anymore after changing cookie domains

This topic contains 7 replies, has 6 voices, and was last updated by  william.hepler 2 weeks, 2 days ago.

  • Author
    Posts
  • #20883
     ray.wang 
    Participant

    Hi,

    I’ve been testing with OpenAM 5.5 on Ubuntu and here’s what I’m doing.

    – Change my cookie domain in Global Services from openam.example.com to openam.example.com + .example.com
    – Logout from the AM console
    – Try to log back in

    This use case doesn’t work for me as I simply get a login page that hangs at “Loading…”. I have tried clearing all of my browser data + cookies, switching browsers, and I’ve also tried using the /manager interface to reload OpenAM, but none of these allow me to log back in. The only thing that has allowed me to log back in is to go to /var/lib/tomcat8 and rm -rf openam, which then allows me to create a new profile for OpenAM, resetting all of my configuration (as expected).

    Can someone please advise me on how I change my cookie domain without breaking everything?

    #20884
     Peter Major 
    Moderator

    Tomcat 8.5+ versions do not allow preceding ‘.’ character in cookie domains, so make sure you set the cookie domain to example.com. Also don’t configure both openam.example.com and example.com domains at the same time, having example.com as the only value should suffice.

    #20905
     ray.wang 
    Participant

    Thanks,

    I will give that a try.

    #24497
     VSIN89319 
    Participant

    Hi Peter,
    I am facing same issue but in AM6.0 on RHEL (aws instance). we had cookie domain set as “ec2-xx-xx-xx-xx.ap-abcdefg-x.compute.amazonaws.com“, we have changed it to “ap-abcdefg-x.compute.amazonaws.com” after which i am not able to login using amadmin. (Tomcat version 9). any pointers on resolving this issue.

    i had to update the domain name back to original using ssoadm for me to proceed with my work.

    Thanks,
    VS

    #24703
     william.hepler 
    Participant

    There is a KB that covers this as well:
    https://backstage.forgerock.com/knowledge/kb/article/a48763995

    Cookie domain

    As of OpenAM 13.5, the cookie domain defaults to the full FQDN. Login will not succeed unless the cookie domain is set correctly.

    See FAQ: Cookies in AM/OpenAM (Q. What does the cookie domain default to?) for further information about this change.

    I had recently run into this as well. I’ll see if there is a way to clarify this more.

    #24770
     rajeshsadhanala 
    Participant

    To handle the cookie domain issue, we have to change the files in the backend database.

    #25275
     sandeep_murthy 
    Participant

    I am facing the same issue on AM 6.5. Could you please elaborate what backed files were changed? Thanks.

    #25384
     william.hepler 
    Participant

    You should use ssoadm:
    Cookie Domains

    Change the default cookie domain:
    $ ./ssoadm set-attr-defs -s iPlanetAMPlatformService -t Global -u [adminID] -f [passwordfile] -a iplanet-am-platform-cookie-domains=[domain]
    replacing [adminID], [passwordfile] and [domain] with appropriate values.

    Potentially they may have used an LDAP editor and found iplanet-am-platform-cookie-domains and changed this manually in the configuration store. But sssoadm would be cleaner.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?