Can the ability to set the Secure cookie attribute be added to the HCL Domino server? This could be done similar to the SameSite cookie attribute that was added to Domino version 12.0.x.
Most HTTP servers provide the ability to set the Secure cookie attribute and it is a shortcoming of Domino to not provide the ability to set the Secure cookie server-wide. A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. We are always hosting on HTTPS and never on HTTP. However, this Secure cookie attribute is important even when only hosting on HTTPS.
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivally intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie’s scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain that issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim’s network traffic. This typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user’s ISP or the application’s hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet’s core infrastructure.
When Burb scans are done on Domino hosted sites, the sites are flagged for a medium vulnerability for the lack of the Secure flag on cookies. This lack of the Secure flag makes it difficult to provide customers sites to pass Cyber Security requirements completely. The vulnerability flagged is “CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute”. Please note that a cookie without the Secure attribute in an HTTPS session is considered vulnerable.
NOT ONLY xpages or sessionID, but also other sensitive cookies, such as LTPAToken.
The feature does exist, but the implementation is neither intuitive, nor admin-friendly.
As a result, almost nobody has the "secure" flag set, when everybody should have it set.
The feature should be either automatic (provide "secure" flag automatically when https is used) or configurable via Domino Directory.
Already exists:
https://help.hcltechsw.com/domino/12.0.2/admin/conf_session_id_cookie_for_xpages.html
In \Domino\data\properties directory you can create xsp.properties file base on original xsp.properties.sample file (rename it or copy, paste). In cookie management (after all commented lines) section add xsp.sessionid.cookie.secure=true.