When you log into a Lotus Domino web application the normal way, through a web browser using the default login method (ie, not using a custom library or script to create the session yourself), you are rewarded with a session cookie that allows you access to the server.
However, you do not seem to be able to specify the security of the session cookie. It is neither secure, or does it have its access limited to HTTP requests only.
You would achieve these two states by adding the 'Secure' flag or the 'HTTPOnly' flags to the cookie. In the context that I'm working in, those two settings would make some of the people I work with feel a little more warm and fuzzy inside.
Anyone come up with a solution for this that does not require me to rebuild the otherwise perfectly fine login functionality?
However, you do not seem to be able to specify the security of the session cookie. It is neither secure, or does it have its access limited to HTTP requests only.
You would achieve these two states by adding the 'Secure' flag or the 'HTTPOnly' flags to the cookie. In the context that I'm working in, those two settings would make some of the people I work with feel a little more warm and fuzzy inside.
Anyone come up with a solution for this that does not require me to rebuild the otherwise perfectly fine login functionality?
I'm running into the same issue, it looks like it can be turned on in websphere, but I haven't seen an option for it in Domino : ( Did you happen to find a solution?
ReplyDeleteOnly through writing your own login agents and popping out to the C-api to create your own token.
ReplyDeleteOK, thanks for the info. I did find an option if using SSO for others who may run into this: SPR# LORN7FRLHQ - Added the ability to add the 'secure' or 'httponly' tags to Domino's single sign-on cookies. New notes.ini to enable this are: LTPA_ADD_SECURE_TAG=1 and LTPA_ADD_HTMLONLY_TAG=1
ReplyDeleteOK, thanks for the info. I did find an option if using SSO for others who may run into this: SPR# LORN7FRLHQ - Added the ability to add the 'secure' or 'httponly' tags to Domino's single sign-on cookies. New notes.ini to enable this are: LTPA_ADD_SECURE_TAG=1 and LTPA_ADD_HTMLONLY_TAG=1
ReplyDelete