The first thing is that Domino authentication cookies needs to be secured so you can’t hijack the content. This can be performed using the httponly and secure attributes.
Secondly we might need a way to add the samesite attribute to the cookies if we get problems with the new settings in Chrome. The same site settings is to block third party cookies that is used for advertising but in Domino this could give you problems if your applications is bouncing between domains. How to achieve this.
Server setting, no the Domino server doesn’t have this setting.
Vote for the Same site ideas on Domino ideas
Javascript, no that isn’t an option because the settings added removes control from javascript.
But using XPages we have no problem reading and set the cookies again with the correct attributes.
I’ve added this to the after page load event, you need to add this code for all Domino Related cookies that your setup use. Like LTPAToken, SessionID or DomAuthSessId
var c:javax.servlet.http.Cookie = cookie.get("DomAuthSessId")
var response=facesContext.getExternalContext().getResponse();
if(c){
if(c.getSecure()==false){
response.addHeader("Set-Cookie","DomAuthSessId="+c.getValue()+"; Path=/; Secure; HttpOnly; SameSite=None");
}
}
This changes the cookies after you have done a login but it will not help if the cookies is removed when you do a login.
Fredrik, I have been asking for Samesite cookies for a long time. It is frustrating.
The problems that could come from this hasn’t been checked enough. I’m surprised there isn’t more problems on sites.
Hi Fredrik
Wich version of notes/domino have you tried? It’s useful in 9.x?
Thanks
it should work on version 9.01, 10 and 11
Add this to the “I can’t believe it’s not in Domino” list. Like MFA/2FA.
Fredrik,
The only problem is this would not work for other design elements like agents and file resources. This has been requested for a long time and it is still not in Domino 11.0.1
It works if you sends the user to an xpage and after that redirect to the file resource or agent.
That would require re-architecting everything. Most likely we will have to put Nginx in front of Domino again.