Tech Tip – Pre-fill username during step up authentication

prefill username ujwols26.sg-host.com

Summary:

In this guide we will see how to pre-fill the username field during second challenge in step up authentication.

 

Conditions:

  • Both low level and high level authentication scheme is using HTML Form Authentication scheme.
  • UseHTTPOnlyCookies ACO parameter is set to YES
  • Can not use server side technology like  ASP/JSP/ASPX etc. Can only use login.fcc for login form.

Environment:

  • Web Agent : 12.0 and above
  • OS : ANY

Instructions:

1. Let’s create two copies of the OOTB login.fcc and rename them as login5.fcc & login10.fcc.

2. Create two HTML FORM authentication scheme one using login5.fcc with Protection Level 5 and other using login10.fcc with Protection Level 10.

3. Protect two resource say /html/ with login5.fcc auth scheme and /html10/ with login10.fcc to simulate step up authentication scenario.

5. Now , the trick is to add following line in the login5.fcc to instruct Web Agent to save the value in the “USER” form field as cookie

@save=USER

(Note : If you need to save multiple form fields, you can specify name of the form field as colon separated list like @save=USER:TARGET )

 

So, after adding this line the login5.fcc looks like this at top

<!– SiteMinder Encoding=UTF-8; –>
@username=%USER%
@smretries=0
@save=USER

<html>

 

6. Next, modify the login10.fcc to pre-fill the USER form field by reading the cookie set earlier like this :

<td ALIGN=”LEFT” >
<b><font size=-1 face=”arial,helvetica” > Username: </font></b>
</td>
<td ALIGN=”LEFT” >
<input type=”text” name=”USER” size=”30″ style=”margin-left: 1px” value=”$$USER$$”>
</td>
<td WIDTH=20 > </td>

Now, the most important thing to note here is , this works even when using HTTPOnly cookies as the FCC processing happens on both the server side as well client side. All the variable with the format $$VariableName$$ are replaced on the server side by reading the value from various sources like :

  • The headers named in the SMHEADERS variable.
  • The directives.
  • The cookies.
  • The posted form data.

As you can see above the variable replacement happens on the server side,so it doesn’t matter even if the HTTPOnly flag is set on cookies.

Attachment:

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Leave a Reply