Tech Tip – Pre-fill username during step up authentication

prefill username


In this guide we will see how to pre-fill the username field during second challenge in step up authentication.



  • Both low level and high level authentication scheme is using HTML Form Authentication scheme.
  • UseHTTPOnlyCookies ACO parameter is set to YES
  • Can not use server side technology like  ASP/JSP/ASPX etc. Can only use login.fcc for login form.


  • Web Agent : 12.0 and above
  • OS : ANY


1. Let’s create two copies of the OOTB login.fcc and rename them as login5.fcc & login10.fcc.

2. Create two HTML FORM authentication scheme one using login5.fcc with Protection Level 5 and other using login10.fcc with Protection Level 10.

3. Protect two resource say /html/ with login5.fcc auth scheme and /html10/ with login10.fcc to simulate step up authentication scenario.

5. Now , the trick is to add following line in the login5.fcc to instruct Web Agent to save the value in the “USER” form field as cookie


(Note : If you need to save multiple form fields, you can specify name of the form field as colon separated list like @save=USER:TARGET )


So, after adding this line the login5.fcc looks like this at top

<!– SiteMinder Encoding=UTF-8; –>



6. Next, modify the login10.fcc to pre-fill the USER form field by reading the cookie set earlier like this :

<td ALIGN=”LEFT” >
<b><font size=-1 face=”arial,helvetica” > Username: </font></b>
<td ALIGN=”LEFT” >
<input type=”text” name=”USER” size=”30″ style=”margin-left: 1px” value=”$$USER$$”>
<td WIDTH=20 > </td>

Now, the most important thing to note here is , this works even when using HTTPOnly cookies as the FCC processing happens on both the server side as well client side. All the variable with the format $$VariableName$$ are replaced on the server side by reading the value from various sources like :

  • The headers named in the SMHEADERS variable.
  • The directives.
  • The cookies.
  • The posted form data.

As you can see above the variable replacement happens on the server side,so it doesn’t matter even if the HTTPOnly flag is set on cookies.


Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Leave a Reply