Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Status No Plans to Implement
Workspace Domino
Categories Security
Created by Guest
Created on Nov 18, 2019

Missing Secure Attribute in Encrypted Session (SSL) Cookie.

Hi Team,

Regarding case no : CS0038809 - Require SSL protected communication HTTPS for single server session cookie

As suggested by Melnicl(HCL PMR Team) we need to enable http only : false option in DOMRELAYSTATE cookies. we require this option to fix Domino vulnerabilities.

Please find Attached document for reference.

 

Thanks

  • Attach files
  • Guest
    Reply
    |
    Jun 23, 2022

    Please Add Ability to Set Secure Cookie Attribute To Domino Server

    Can the ability to set the Secure cookie attribute be added to the HCL Domino server? This could be done similar to the SameSite cookie attribute that was added to Domino version 12.0.x.

    Most HTTP servers provide the ability to set the Secure cookie attribute and it is a shortcoming of Domino to not provide the ability to set the Secure cookie server-wide. A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. We are always hosting on HTTPS and never on HTTP. However, this Secure cookie attribute is important even when only hosting on HTTPS.

    If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivally intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie’s scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain that issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/
    Example Domain
    Example Domain. This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.
    example.com
    to perform the same attack.

    To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim’s network traffic. This typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user’s ISP or the application’s hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet’s core infrastructure.

    When Burb scans are done on Domino hosted sites, the sites are flagged for a medium vulnerability for the lack of the Secure flag on cookies. This lack of the Secure flag makes it difficult to provide customers sites that pass Cyber Security requirements completely. The vulnerability flagged is “CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute”. Please note that a cookie without the Secure attribute in an HTTPS session is considered vulnerable. The following screen shots are from a Burb scan report:

  • Admin
    Thomas Hampel
    Reply
    |
    Jan 25, 2022

    as mentioned before, you can not protect data that is sent without SSL protection. Closing the idea as "No plans to implement" - However if you are looking for managing the samesite cookie preference in TLS protected situations, then refer to this : https://help.hcltechsw.com/domino/12.0.0/admin/conf_samesite_cookie.html

  • Guest
    Reply
    |
    Dec 9, 2020

    Security of cookies is an important subject. HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS. When this is the case, the attacker eavesdropping on the communication channel from the browser to the server will not be able to read the cookie. Example HttpOnly & secure websphere https://www.ibm.com/support/pages/setting-httponly-and-secure-flags-websphere-application-server-cookies

  • Guest
    Reply
    |
    Jan 11, 2020

    Hello Thomas, I tried forward a note with reproduced steps at  Thomas Hampel/Germany/IBM but returned... do y have other I can provide ?

  • Admin
    Thomas Hampel
    Reply
    |
    Jan 11, 2020
    Can you explain when a cookie is not SSL secured if the server is only configured for SSL ???