Tech Tip – Pre-fill username during step up authentication

prefill username


In this guide we will see how to pre-fill the username field during second challenge in step up authentication.



  • Both low level and high level authentication scheme is using HTML Form Authentication scheme.
  • UseHTTPOnlyCookies ACO parameter is set to YES
  • Can not use server side technology like  ASP/JSP/ASPX etc. Can only use login.fcc for login form.


  • Web Agent : 12.0 and above
  • OS : ANY


1. Let’s create two copies of the OOTB login.fcc and rename them as login5.fcc & login10.fcc.

2. Create two HTML FORM authentication scheme one using login5.fcc with Protection Level 5 and other using login10.fcc with Protection Level 10.

3. Protect two resource say /html/ with login5.fcc auth scheme and /html10/ with login10.fcc to simulate step up authentication scenario.

5. Now , the trick is to add following line in the login5.fcc to instruct Web Agent to save the value in the “USER” form field as cookie


(Note : If you need to save multiple form fields, you can specify name of the form field as colon separated list like @save=USER:TARGET )


So, after adding this line the login5.fcc looks like this at top

<!– SiteMinder Encoding=UTF-8; –>



6. Next, modify the login10.fcc to pre-fill the USER form field by reading the cookie set earlier like this :

<td ALIGN=”LEFT” >
<b><font size=-1 face=”arial,helvetica” > Username: </font></b>
<td ALIGN=”LEFT” >
<input type=”text” name=”USER” size=”30″ style=”margin-left: 1px” value=”$$USER$$”>
<td WIDTH=20 > </td>

Now, the most important thing to note here is , this works even when using HTTPOnly cookies as the FCC processing happens on both the server side as well client side. All the variable with the format $$VariableName$$ are replaced on the server side by reading the value from various sources like :

  • The headers named in the SMHEADERS variable.
  • The directives.
  • The cookies.
  • The posted form data.

As you can see above the variable replacement happens on the server side,so it doesn’t matter even if the HTTPOnly flag is set on cookies.


Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

One Response

  1. Hi UJWOLS,

    The user will initially be authenticated via login5.fcc and associated realm, rule and policy. When then requesting the resource that is protected by login10.fcc is there any way to get the value of SM_USER on the FCC page instead of having a USER cookie which can be modified in the browser?

    Alternatively, if using a custom authentication scheme instead of the HTML Form Template for LOGIN10FCC can the SM_USER be retrieved in the FCC page or in a java class?

    E.g user authenticates loginid and password in HTML Form Template. Then user wants to view additionally protected area that requires a check of data that isn’t password. This is protected with a custom authentication scheme as in
    Is it possible to use the SM_USER from first authentication so we don’t need to store a USER cookie or have a hidden input field with the user data retrieved from the HTTP Headers? If so, how? The hidden input could be changed as could the the cookie so neither are reliable for a second authentication scheme for populating the username.


Leave a Reply

Your email address will not be published.