Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Status Already Exists
Workspace Domino
Categories Security
Created by Guest
Created on May 27, 2022

Add Ability To Set Secure Cookie Attribute To Domino Server

Can the ability to set the Secure cookie attribute be added to the HCL Domino server? This could be done similar to the SameSite cookie attribute that was added to Domino version 12.0.x.

Most HTTP servers provide the ability to set the Secure cookie attribute and it is a shortcoming of Domino to not provide the ability to set the Secure cookie server-wide. A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. We are always hosting on HTTPS and never on HTTP. However, this Secure cookie attribute is important even when only hosting on HTTPS.

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivally intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie’s scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain that issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form to perform the same attack.

To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim’s network traffic. This typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user’s ISP or the application’s hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet’s core infrastructure.

When Burb scans are done on Domino hosted sites, the sites are flagged for a medium vulnerability for the lack of the Secure flag on cookies. This lack of the Secure flag makes it difficult to provide customers sites to pass Cyber Security requirements completely. The vulnerability flagged is “CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute”. Please note that a cookie without the Secure attribute in an HTTPS session is considered vulnerable.

  • Attach files
  • Guest
    Oct 25, 2023

    The feature does exist, but the implementation is neither intuitive, nor admin-friendly.

    As a result, almost nobody has the "secure" flag set, when everybody should have it set.

    The feature should be either automatic (provide "secure" flag automatically when https is used) or configurable via Domino Directory.

  • Admin
  • Guest
    Jun 28, 2022

    In \Domino\data\properties directory you can create file base on original file (rename it or copy, paste). In cookie management (after all commented lines) section add