Missing Secure Attribute in Encrypted Session (SSL) Cookie.

Please Add Ability to Set Secure Cookie Attribute To Domino Server

Can the ability to set the Secure cookie attribute be added to the HCL Domino server? This could be done similar to the SameSite cookie attribute that was added to Domino version 12.0.x.

Most HTTP servers provide the ability to set the Secure cookie attribute and it is a shortcoming of Domino to not provide the ability to set the Secure cookie server-wide. A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. We are always hosting on HTTPS and never on HTTP. However, this Secure cookie attribute is important even when only hosting on HTTPS.

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivally intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie’s scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain that issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/
Example Domain
Example Domain. This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.
example.com
to perform the same attack.

To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim’s network traffic. This typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user’s ISP or the application’s hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet’s core infrastructure.

When Burb scans are done on Domino hosted sites, the sites are flagged for a medium vulnerability for the lack of the Secure flag on cookies. This lack of the Secure flag makes it difficult to provide customers sites that pass Cyber Security requirements completely. The vulnerability flagged is “CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute”. Please note that a cookie without the Secure attribute in an HTTPS session is considered vulnerable. The following screen shots are from a Burb scan report:

as mentioned before, you can not protect data that is sent without SSL protection. Closing the idea as "No plans to implement" - However if you are looking for managing the samesite cookie preference in TLS protected situations, then refer to this : https://help.hcltechsw.com/domino/12.0.0/admin/conf_samesite_cookie.html

Security of cookies is an important subject. HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS. When this is the case, the attacker eavesdropping on the communication channel from the browser to the server will not be able to read the cookie. Example HttpOnly & secure websphere https://www.ibm.com/support/pages/setting-httponly-and-secure-flags-websphere-application-server-cookies

Hello Thomas, I tried forward a note with reproduced steps at  Thomas Hampel/Germany/IBM but returned... do y have other I can provide ?

Can you explain when a cookie is not SSL secured if the server is only configured for SSL ???