#dominoforever | Product Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Missing Secure Attribute in Encrypted Session (SSL) Cookie.

Hi Team,

Regarding case no : CS0038809 - Require SSL protected communication HTTPS for single server session cookie

As suggested by Melnicl(HCL PMR Team) we need to enable http only : false option in DOMRELAYSTATE cookies. we require this option to fix Domino vulnerabilities.

Please find Attached document for reference.

 

Thanks

  • Guest
  • Nov 18 2019
  • No Plans to Implement
  • Attach files
  • Guest commented
    23 Jun 06:14pm

    Please Add Ability to Set Secure Cookie Attribute To Domino Server

    Can the ability to set the Secure cookie attribute be added to the HCL Domino server? This could be done similar to the SameSite cookie attribute that was added to Domino version 12.0.x.

    Most HTTP servers provide the ability to set the Secure cookie attribute and it is a shortcoming of Domino to not provide the ability to set the Secure cookie server-wide. A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. We are always hosting on HTTPS and never on HTTP. However, this Secure cookie attribute is important even when only hosting on HTTPS.

    If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivally intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie’s scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain that issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/
    Example Domain
    Example Domain. This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.
    example.com
    to perform the same attack.

    To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim’s network traffic. This typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user’s ISP or the application’s hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet’s core infrastructure.

    When Burb scans are done on Domino hosted sites, the sites are flagged for a medium vulnerability for the lack of the Secure flag on cookies. This lack of the Secure flag makes it difficult to provide customers sites that pass Cyber Security requirements completely. The vulnerability flagged is “CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute”. Please note that a cookie without the Secure attribute in an HTTPS session is considered vulnerable. The following screen shots are from a Burb scan report:

  • Admin
    Thomas Hampel commented
    25 Jan 10:08am

    as mentioned before, you can not protect data that is sent without SSL protection. Closing the idea as "No plans to implement" - However if you are looking for managing the samesite cookie preference in TLS protected situations, then refer to this : https://help.hcltechsw.com/domino/12.0.0/admin/conf_samesite_cookie.html

  • Guest commented
    9 Dec, 2020 09:21pm

    Security of cookies is an important subject. HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS. When this is the case, the attacker eavesdropping on the communication channel from the browser to the server will not be able to read the cookie. Example HttpOnly & secure websphere https://www.ibm.com/support/pages/setting-httponly-and-secure-flags-websphere-application-server-cookies

  • Guest commented
    11 Jan, 2020 02:14pm

    Hello Thomas, I tried forward a note with reproduced steps at  Thomas Hampel/Germany/IBM but returned... do y have other I can provide ?

  • Admin
    Thomas Hampel commented
    11 Jan, 2020 08:05am
    Can you explain when a cookie is not SSL secured if the server is only configured for SSL ???