Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Status Shipped
Workspace Domino
Created by Guest
Created on Dec 11, 2019

DomAuthSessId with SameSite attribute

Add the SameSite attribute to the DomAuthSessId cookie so we can still send requests to the database via localhost.

 

Message from Chrome:

A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
  • Attach files
  • Admin
  • Guest
    Feb 19, 2021

    LtpaToken and DomAuthSessId has been configurable at least since Domino 9.0.1. Read my blog post for details:

    https://blog.semaphor.dk/semaphor/blog.nsf/entries/20201105T1152

  • Guest
    Jan 27, 2021

    Interim Solution: After Login redirect to a LotusScript. Read webdoc.HTTP_COOKIE and search the LTPATokenName - get the value and
    Print {Set-Cookie: _TokenName=}LTPATokenValue{;domain=LTPADomain{;path=/;SameSite=Lax;Secure;HttpOnly}
    will update the cookie. Not perfect, but seems to work :-)


  • Guest
    Jan 27, 2021

    Any news here. Found an old notes.ini value (LTPA_ADD_SECURE_TAG=1), but seems not to work. HttpOnly is not enough for a modern architecture.

  • Guest
    Nov 12, 2020

    This is not an option. This is a must have.

  • Guest
    Oct 19, 2020

    It's about time, we really need this now. We're facing iframe integration problems with the new edge browser now as well. At Domino generated Cookies(mainly Auth, but also SessionID and so on) should have a configurable option for handling the samesite attibute.

  • Guest
    Oct 5, 2020

    Please make this happen soon!

  • Guest
    Jul 7, 2020

    For reference please see => https://web.dev/samesite-cookies-explained/

  • Guest
    Jul 7, 2020

    Also LPTA authentication cookies too!

  • Guest
    Mar 19, 2020

    Soon all our customers will be updated:

    https://www.chromium.org/updates/same-site

  • Guest
    Mar 19, 2020

    We are now experiencing issues due to rollout Chrome 80...

  • Guest
    Mar 19, 2020

    We already received the first issues with our customers. We really need to have this in Domino! We run Xpages inside a 'Outlook 365 add-in' and currently this change breaks our application now, users can not log in Domino anymore because this uses iframes.

  • Guest
    Mar 3, 2020

    Chrome is rolling out the samesite checks so this is urgent now, others will follow more soon than later.

    However, this not only applies to the DomAuthSessId and LTPATokens, it should generally be honored for ALL cookies that the server generates upon itself, e.g. the SessionID-cookie to identify the XPage session. Maybe it could be possible to configure it by notes.ini params for individual cookie names wheather one should be accessorized with the correct samesite attributes.

    We use xpages in iframe environments so not having the correct samesite attributes breaks our domino business apps integrations in connections for example.

  • Guest
    Jan 3, 2020

    This gets my vote, this should be made available urgently.

    Add a SameSite field with options None,Lax and Secure to the Web SSO configuration, next to Require SSL protected communication (HTTPS) and Restrict use of the SSO token to HTTP/HTTPS. 

     

    The missing SameSite on the LtpaToken always comes up in Penetration Tests.

30 MERGED

SameSiteattribute is not set for the session cookie 'DomAuthSessId'

Merged
SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks.
almost 3 years ago in Domino / Security 4 Shipped