Skip to main content

Admin Notes: Securing the DomAuthSessId cookie or not...

When you log into a Lotus Domino web application the normal way, through a web browser using the default login method (ie, not using a custom library or script to create the session yourself), you are rewarded with a session cookie that allows you access to the server.

However, you do not seem to be able to specify the security of the session cookie.  It is neither secure, or does it have its access limited to HTTP requests only.

You would achieve these two states by adding the 'Secure' flag or the 'HTTPOnly' flags to the cookie.  In the context that I'm working in, those two settings would make some of the people I work with feel a little more warm and fuzzy inside.

Anyone come up with a solution for this that does not require me to rebuild the otherwise perfectly fine login functionality?

Comments

  1. I'm running into the same issue, it looks like it can be turned on in websphere, but I haven't seen an option for it in Domino : ( Did you happen to find a solution?

    ReplyDelete
  2. Only through writing your own login agents and popping out to the C-api to create your own token.

    ReplyDelete
  3. OK, thanks for the info. I did find an option if using SSO for others who may run into this: SPR# LORN7FRLHQ - Added the ability to add the 'secure' or 'httponly' tags to Domino's single sign-on cookies. New notes.ini to enable this are: LTPA_ADD_SECURE_TAG=1 and LTPA_ADD_HTMLONLY_TAG=1

    ReplyDelete
  4. OK, thanks for the info. I did find an option if using SSO for others who may run into this: SPR# LORN7FRLHQ - Added the ability to add the 'secure' or 'httponly' tags to Domino's single sign-on cookies. New notes.ini to enable this are: LTPA_ADD_SECURE_TAG=1 and LTPA_ADD_HTMLONLY_TAG=1

    ReplyDelete

Post a Comment

Popular posts from this blog

Policies and Controls are King in the IT Security world

I came across an article by Roger Grimes over at Infoworld on how security policies and controls are the real power when it comes to IT security. Roger mentions the SANS 20 Critical Security Controls for Effective Cyber Defence , which are a great read for anyone looking at updating or auditing your policies for completeness. The SANS top 20 controls are a must for any organization: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Maintenance, Monitoring, and Analysis of Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access Based on the Need to Know Continuous Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Limitation and Control

Fun Little Earthquake

It's 1:45pm EST in Ottawa, Ontario, Canada. We just had an earthquake.  Not strong enough to damage anything, but enough that I watched people run out of buildings. What a fun Wednesday.

Reminder: Increase the maximum available memory on your Lotus Notes client JVM today!

Yup, that's right.  Public Service Announcement time. If you haven't increased the maximum memory available to your Lotus Notes JVM yet, what are you waiting for? By default, the Notes JVM only has 256mb of memory available to it.  On a system with 4GB+ of memory, you should be easily able to increase it to 1/4 to 1/3 of the system memory and improve the end user performance. Here's how: Shut down Lotus Notes. In order to make sure that all processes are stopped, run this command:  Start -> Run Type: C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe -kill Open: C:\Program Files (x86)\IBM\Lotus\Notes\framework\rcp\deploy\ Open the "jvm.properties" file in a text editor like notepad.  You will possibly require Administrator permissions. At the beginning of the file, you will see text surrounded by a lot of pound signs ####. The first ‘property’ after the last # sign is: vmarg.Xmx=-Xmx256m Change 256m to 1024m so that the line reads: vmarg.X