Skip to main content

Admin Notes: Securing the DomAuthSessId cookie or not...

When you log into a Lotus Domino web application the normal way, through a web browser using the default login method (ie, not using a custom library or script to create the session yourself), you are rewarded with a session cookie that allows you access to the server.

However, you do not seem to be able to specify the security of the session cookie.  It is neither secure, or does it have its access limited to HTTP requests only.

You would achieve these two states by adding the 'Secure' flag or the 'HTTPOnly' flags to the cookie.  In the context that I'm working in, those two settings would make some of the people I work with feel a little more warm and fuzzy inside.

Anyone come up with a solution for this that does not require me to rebuild the otherwise perfectly fine login functionality?

Comments

  1. Chris8 December 2010 at 07:28

    I'm running into the same issue, it looks like it can be turned on in websphere, but I haven't seen an option for it in Domino : ( Did you happen to find a solution?

    ReplyDelete
  2. wildunknown8 December 2010 at 14:29

    Only through writing your own login agents and popping out to the C-api to create your own token.

    ReplyDelete
  3. Chris14 December 2010 at 09:37

    OK, thanks for the info. I did find an option if using SSO for others who may run into this: SPR# LORN7FRLHQ - Added the ability to add the 'secure' or 'httponly' tags to Domino's single sign-on cookies. New notes.ini to enable this are: LTPA_ADD_SECURE_TAG=1 and LTPA_ADD_HTMLONLY_TAG=1

    ReplyDelete
  4. Chris30 May 2011 at 08:23

    OK, thanks for the info. I did find an option if using SSO for others who may run into this: SPR# LORN7FRLHQ - Added the ability to add the 'secure' or 'httponly' tags to Domino's single sign-on cookies. New notes.ini to enable this are: LTPA_ADD_SECURE_TAG=1 and LTPA_ADD_HTMLONLY_TAG=1

    ReplyDelete

Post a Comment

Popular posts from this blog

Fun Little Earthquake

It's 1:45pm EST in Ottawa, Ontario, Canada. We just had an earthquake.  Not strong enough to damage anything, but enough that I watched people run out of buildings. What a fun Wednesday.
24 comments
Read more

Error 217 - Error creating product object on Domino 64 bit

I'd like to share something with you.   An error that you'll get if you are trying to use ODBC with Domino 8.5.1 64bit. It starts out with an agent error of Error 217.  The text of the error is "Error creating product object" You can read about it here on the Notes/Domino forum . You can find the solution here as well . I guess I'm now waiting for Domino 8.5.2 for a solution for this.   It would have been nice to have had this in the release notes.  It would have help me greatly.
5 comments
Read more

Lotus Trading Cards

I was painting the house last night, and my mind got to wandering... Bruce Elgort mentioned on Twitter last night that he was thinking of a VC fund for Lotus projects. So my mind wandered about that, and turned to how we present ourselves. I got to thinking that business cards are so ... old school. I think we need Trading Cards. So, here are the first few I've come up with.
12 comments
Read more