#dominoforever | Product Ideas Portal

 

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

DomAuthSessId with SameSite attribute

Add the SameSite attribute to the DomAuthSessId cookie so we can still send requests to the database via localhost.

 

Message from Chrome:

A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
  • Guest
  • Dec 11 2019
  • Shipped
  • Attach files
  • Admin
    Thomas Hampel commented
    15 Jul 01:12pm
  • Guest commented
    19 Feb 04:30pm

    LtpaToken and DomAuthSessId has been configurable at least since Domino 9.0.1. Read my blog post for details:

    https://blog.semaphor.dk/semaphor/blog.nsf/entries/20201105T1152

  • Guest commented
    27 Jan 10:56pm

    Interim Solution: After Login redirect to a LotusScript. Read webdoc.HTTP_COOKIE and search the LTPATokenName - get the value and
    Print {Set-Cookie: _TokenName=}LTPATokenValue{;domain=LTPADomain{;path=/;SameSite=Lax;Secure;HttpOnly}
    will update the cookie. Not perfect, but seems to work :-)


  • Guest commented
    27 Jan 08:50pm

    Any news here. Found an old notes.ini value (LTPA_ADD_SECURE_TAG=1), but seems not to work. HttpOnly is not enough for a modern architecture.

  • Guest commented
    12 Nov, 2020 02:07pm

    This is not an option. This is a must have.

  • Guest commented
    19 Oct, 2020 10:18am

    It's about time, we really need this now. We're facing iframe integration problems with the new edge browser now as well. At Domino generated Cookies(mainly Auth, but also SessionID and so on) should have a configurable option for handling the samesite attibute.

  • Guest commented
    5 Oct, 2020 06:22am

    Please make this happen soon!

  • Guest commented
    7 Jul, 2020 02:26pm

    For reference please see => https://web.dev/samesite-cookies-explained/

  • Guest commented
    7 Jul, 2020 02:24pm

    Also LPTA authentication cookies too!

  • Guest commented
    19 Mar, 2020 07:27am

    Soon all our customers will be updated:

    https://www.chromium.org/updates/same-site

  • Guest commented
    19 Mar, 2020 07:24am

    We are now experiencing issues due to rollout Chrome 80...

  • Guest commented
    19 Mar, 2020 07:02am

    We already received the first issues with our customers. We really need to have this in Domino! We run Xpages inside a 'Outlook 365 add-in' and currently this change breaks our application now, users can not log in Domino anymore because this uses iframes.

  • Guest commented
    3 Mar, 2020 09:09am

    Chrome is rolling out the samesite checks so this is urgent now, others will follow more soon than later.

    However, this not only applies to the DomAuthSessId and LTPATokens, it should generally be honored for ALL cookies that the server generates upon itself, e.g. the SessionID-cookie to identify the XPage session. Maybe it could be possible to configure it by notes.ini params for individual cookie names wheather one should be accessorized with the correct samesite attributes.

    We use xpages in iframe environments so not having the correct samesite attributes breaks our domino business apps integrations in connections for example.

  • Guest commented
    3 Jan, 2020 04:18am

    This gets my vote, this should be made available urgently.

    Add a SameSite field with options None,Lax and Secure to the Web SSO configuration, next to Require SSL protected communication (HTTPS) and Restrict use of the SSO token to HTTP/HTTPS. 

     

    The missing SameSite on the LtpaToken always comes up in Penetration Tests.