Domino cookies needs to be secure and have samesite

Posted by on 24 August,2020 Leave a comment (14) Go to comments

The first thing is that Domino authentication cookies needs to be secured so you can’t hijack the content. This can be performed using the httponly and secure attributes.

Secondly we might need a way to add the samesite attribute to the cookies if we get problems with the new settings in Chrome. The same site settings is to block third party cookies that is used for advertising but in Domino this could give you problems if your applications is bouncing between domains. How to achieve this.

Server setting, no the Domino server doesn’t have this setting.
Vote for the Same site ideas on Domino ideas, UPDATE 2022 your votes made a difference this is now in Domino 12

Javascript, no that isn’t an option because the settings added removes control from javascript.

But using XPages we have no problem reading and set the cookies again with the correct attributes.

I’ve added this to the after page load event, you need to add this code for all Domino Related cookies that your setup use. Like LTPAToken, SessionID or DomAuthSessId

var c:javax.servlet.http.Cookie = cookie.get("DomAuthSessId")
var response=facesContext.getExternalContext().getResponse();
if(c){
if(c.getSecure()==false){

response.addHeader("Set-Cookie","DomAuthSessId="+c.getValue()+"; Path=/; Secure; HttpOnly; SameSite=None");
}
}

This changes the cookies after you have done a login but it will not help if the cookies is removed when you do a login.

Posts
Leave a comment ?

14 Comments.

  1. Richard Moy 25 August,2020 at 14:38

    Fredrik, I have been asking for Samesite cookies for a long time. It is frustrating.

    Reply
  2. Ruben 31 August,2020 at 19:10

    Hi Fredrik
    Wich version of notes/domino have you tried? It’s useful in 9.x?

    Thanks

    Reply
  3. Darren Duke 3 September,2020 at 16:15

    Add this to the “I can’t believe it’s not in Domino” list. Like MFA/2FA.

    Reply
  4. Richard Moy 15 September,2020 at 00:43

    Fredrik,

    The only problem is this would not work for other design elements like agents and file resources. This has been requested for a long time and it is still not in Domino 11.0.1

    Reply
  5. Fredrik 15 September,2020 at 09:11

    It works if you sends the user to an xpage and after that redirect to the file resource or agent.

    Reply
  6. Larry 1 October,2021 at 12:32

    This only works after reloading the webpage. Is there a way to load it when the page loads the first time?

    Reply
  7. Fredrik 5 October,2021 at 17:36

    If the xpage is the first thing loaded after the login, then cookies will be set directly without a reload

    Reply
    • Larry 19 October,2021 at 14:10

      There’s no login page. It’s the first page to load and doesn’t appear to have the SessionID secure until I refresh the same page.

      Reply
  8. Larry-ITS Yeboah 19 October,2021 at 12:50

    Thanks for the reply. There’s no login page. It’s the first page to load.

    Reply
  9. Jeffrey Redding 10 May,2022 at 18:50

    Hello Fredrik –

    Above you mention: “This can be performed using the httponly and secure attributes.” Can the secure attribute be set server wide? I set it with LTPA_ADD_SECURE_TAG=1 in the notes.ini for SSO, but still do have some SESSIONID without the secure attribute that gets flagged in burb scans. My apologies if the point of your post is that there is no server wide setting. Hoping that was specific to Same-Site. Thanks.

    Reply

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.