#dominoforever | Product Ideas Portal

 

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

DomAuthSessId with SameSite attribute

Add the SameSite attribute to the DomAuthSessId cookie so we can still send requests to the database via localhost.

 

Message from Chrome:

A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Dec 11 2019
  • Needs review
  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    19 Oct 10:18am

    It's about time, we really need this now. We're facing iframe integration problems with the new edge browser now as well. At Domino generated Cookies(mainly Auth, but also SessionID and so on) should have a configurable option for handling the samesite attibute.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    5 Oct 06:22am

    Please make this happen soon!

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    7 Jul 02:26pm

    For reference please see => https://web.dev/samesite-cookies-explained/

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    7 Jul 02:24pm

    Also LPTA authentication cookies too!

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    19 Mar 07:27am

    Soon all our customers will be updated:

    https://www.chromium.org/updates/same-site

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    19 Mar 07:24am

    We are now experiencing issues due to rollout Chrome 80...

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    19 Mar 07:23am

    TTLpe4OR71Kl#DVqIy

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    19 Mar 07:02am

    We already received the first issues with our customers. We really need to have this in Domino! We run Xpages inside a 'Outlook 365 add-in' and currently this change breaks our application now, users can not log in Domino anymore because this uses iframes.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    3 Mar 09:09am

    Chrome is rolling out the samesite checks so this is urgent now, others will follow more soon than later.

    However, this not only applies to the DomAuthSessId and LTPATokens, it should generally be honored for ALL cookies that the server generates upon itself, e.g. the SessionID-cookie to identify the XPage session. Maybe it could be possible to configure it by notes.ini params for individual cookie names wheather one should be accessorized with the correct samesite attributes.

    We use xpages in iframe environments so not having the correct samesite attributes breaks our domino business apps integrations in connections for example.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    3 Jan 04:18am

    This gets my vote, this should be made available urgently.

    Add a SameSite field with options None,Lax and Secure to the Web SSO configuration, next to Require SSL protected communication (HTTPS) and Restrict use of the SSO token to HTTP/HTTPS. 

     

    The missing SameSite on the LtpaToken always comes up in Penetration Tests.