Semaphor blog
Blog: Semaphor

Insecure cookies will be rejected by newer browsers

Cookies set by web pages, loaded by HTTPS, are also sent back to the server on request to the same hostname with HTTP. That gives a person with evil intent the ability to steal information and even hijack a login session.

Recently Mozilla Firefox started complaining, in the developer console, about cookies being vulnerable:

Cookie "return_to" will be soon rejected because it has the "SameSite" attribute set to "None" or an invalid value, without the "secure" attribute.

The default SameSite handling can be changed in Firefox Advanced Preferences, by writing about:config in the addressbar and then search for:
network.cookie.sameSite.laxByDefault
This is good for testing, but it is not a solution. The solution has to be done server-side.

Google Chrome has also implemented a similar cookie protection solution.

Set secure cookies in Domino

Setting a cookie from a Notes form, is done by calling:
@SetHTTPHeader("Set-Cookie"; "name=value")


The secure solution is:
@SetHTTPHeader("Set-Cookie"; "name=value; SameSite=Strict; Secure")

Securing Dominos multi server LtpaToken cookie

If you are using Dominos multiple servers session based login, it needs some tweaking too. In the Domino Directory, the SSO configuration is found in the Internet Sites view.

On the Basic tab you need to change:
"Require SSL protected communication (HTTPS)" to "Enabled".
"Restrict use of the SSO token to HTTP/HTTPS" to "Enabled".



Validation

After restarting the Domino HTTP task, the LtpaToken cookie is secured:

Cookie shown in the Firefox developer tools.
Cookie shown in the Firefox developer tools.

Securing Dominos single server DomAuthSessId cookie

If you are using Dominos single server session based login, it needs some tweaking too. In the Domino Directory, the website configuration is found in the Internet Sites view.

On the "Domino Web Engine" tab, change "Restrict use of single server session cookie to HTTP/HTTPS" to "Enabled", to keep it inaccessible from Javascript. Change "Require SSL protected communication HTTPS for single server session cookie" to "Enabled", to avoid sending the cookie unencrypted.



The validation is the same as with the multi server LtpaToken cookie.

Sources


05-11-2020 11:52

0 Comments

Add comment

Name:
E-mail:
City:
Job:
Subject:
Comment:
 
It may take a moment untill your comment is published.