Thursday, 18 March 2010

Admin Notes: Securing the DomAuthSessId cookie or not...

When you log into a Lotus Domino web application the normal way, through a web browser using the default login method (ie, not using a custom library or script to create the session yourself), you are rewarded with a session cookie that allows you access to the server.

However, you do not seem to be able to specify the security of the session cookie.  It is neither secure, or does it have its access limited to HTTP requests only.

You would achieve these two states by adding the 'Secure' flag or the 'HTTPOnly' flags to the cookie.  In the context that I'm working in, those two settings would make some of the people I work with feel a little more warm and fuzzy inside.

Anyone come up with a solution for this that does not require me to rebuild the otherwise perfectly fine login functionality?