APM Session ID not displayed in error page
Hello folks,
I ran into an issue today that you may have already encountered : I am using APM to authenticate users on a web application, and an error page is returned to the user (whatever the reason), the session id is not displayed.
Looking through the error page code, I managed to find where the session id was displayed and found out that the session id is extracted from the LastMRH_Session cookie. Here is the source code from the logout.inc page :
var display_session = get_cookie("LastMRH_Session");
if(null != display_session) {
document.getElementById("sessionDIV").innerHTML = '
%[session_id_caption] ' + display_session + '
';
document.getElementById("sessionDIV").style.visibility = "visible";
}
So the session id is extracted by some JavaScript code in order to be displayed to the user. That means that if you set the "HTTP Only" flag on the cookie in the SSO/Auth Domains properties of your Access profile, the session id won't be displayed as the browser won't allow the JavaScript to read the cookie value.
Has anyone encountered this issue before ? That's an issue for me because I want the session id to be displayed to users when they have an error and I cannot unset the "HTTP Only" flag on the cookie due to security reasons. Has anyone managed to circumvent that issue ?
Antoine