HCL Domino Ideas Portal
Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.
For more information and upcoming events around #dominoforever, please visit our Destination Domino Page
Shipped in 12.0.0
https://help.hcltechsw.com/domino/12.0.0/admin/conf_samesite_cookie.html
LtpaToken and DomAuthSessId has been configurable at least since Domino 9.0.1. Read my blog post for details:
https://blog.semaphor.dk/semaphor/blog.nsf/entries/20201105T1152
Interim Solution: After Login redirect to a LotusScript. Read webdoc.HTTP_COOKIE and search the LTPATokenName - get the value and
Print {Set-Cookie: _TokenName=}LTPATokenValue{;domain=LTPADomain{;path=/;SameSite=Lax;Secure;HttpOnly}
will update the cookie. Not perfect, but seems to work :-)
Any news here. Found an old notes.ini value (LTPA_ADD_SECURE_TAG=1), but seems not to work. HttpOnly is not enough for a modern architecture.
This is not an option. This is a must have.
It's about time, we really need this now. We're facing iframe integration problems with the new edge browser now as well. At Domino generated Cookies(mainly Auth, but also SessionID and so on) should have a configurable option for handling the samesite attibute.
Please make this happen soon!
For reference please see => https://web.dev/samesite-cookies-explained/
Also LPTA authentication cookies too!
Soon all our customers will be updated:
https://www.chromium.org/updates/same-site
We are now experiencing issues due to rollout Chrome 80...
We already received the first issues with our customers. We really need to have this in Domino! We run Xpages inside a 'Outlook 365 add-in' and currently this change breaks our application now, users can not log in Domino anymore because this uses iframes.
Chrome is rolling out the samesite checks so this is urgent now, others will follow more soon than later.
However, this not only applies to the DomAuthSessId and LTPATokens, it should generally be honored for ALL cookies that the server generates upon itself, e.g. the SessionID-cookie to identify the XPage session. Maybe it could be possible to configure it by notes.ini params for individual cookie names wheather one should be accessorized with the correct samesite attributes.
We use xpages in iframe environments so not having the correct samesite attributes breaks our domino business apps integrations in connections for example.
This gets my vote, this should be made available urgently.
Add a SameSite field with options None,Lax and Secure to the Web SSO configuration, next to Require SSL protected communication (HTTPS) and Restrict use of the SSO token to HTTP/HTTPS.
The missing SameSite on the LtpaToken always comes up in Penetration Tests.