#dominoforever | Product Ideas Portal

 

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Missing Secure Attribute in Encrypted Session (SSL) Cookie.

Hi Team,

Regarding case no : CS0038809 - Require SSL protected communication HTTPS for single server session cookie

As suggested by Melnicl(HCL PMR Team) we need to enable http only : false option in DOMRELAYSTATE cookies. we require this option to fix Domino vulnerabilities.

Please find Attached document for reference.

 

Thanks

  • Guest
  • Nov 18 2019
  • Needs clarification
  • Attach files
  • Guest commented
    9 Dec, 2020 09:21pm

    Security of cookies is an important subject. HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS. When this is the case, the attacker eavesdropping on the communication channel from the browser to the server will not be able to read the cookie. Example HttpOnly & secure websphere https://www.ibm.com/support/pages/setting-httponly-and-secure-flags-websphere-application-server-cookies

  • Guest commented
    11 Jan, 2020 02:14pm

    Hello Thomas, I tried forward a note with reproduced steps at  Thomas Hampel/Germany/IBM but returned... do y have other I can provide ?

  • Admin
    Thomas Hampel commented
    11 Jan, 2020 08:05am
    Can you explain when a cookie is not SSL secured if the server is only configured for SSL ???