DominoSessionCookieUniqueNames

Profile

Description

• Enables a cluster-safe, sprayer-capable variant of the previous single-server session cookie DomAuthSessId.

• With =1, the cookie name is changed to DomAuthSessIdABCDEFGHIJK, where ABCDEFGHIJK are the first 11 characters of Base64url(SHA256(Domino server DN)) — i.e. unique per server.

• Background: Multiple Domino servers serving the same Internet site behind a sprayer/load balancer would, without this switch, all have a cookie named DomAuthSessId — they overwrite each other in the browser. With the server-specific suffix, each cookie remains uniquely preserved.

• Disabled by default because existing applications and sprayer rules that explicitly react to the name DomAuthSessId would otherwise break.

• HCL primarily recommends LTPA SSO; DominoSessionCookieUniqueNames is the solution when single-server cookies are explicitly needed but cluster-capable.

Example

DominoSessionCookieUniqueNames=1

• DomAuthSessId becomes, for example, DomAuthSessIdA1b2C3d4E5f.

Notes

• Changing requires a restart of the HTTP task or the server.

• Before enabling, check: are there applications, sprayer rules, or custom code that react fixedly to the cookie name DomAuthSessId? Then first switch these rules to prefix matching.

• Works on all supported platforms with Domino 14+.

• LTPA SSO usually remains the preferred cluster authentication; this parameter is the workaround for single-server sessions.

Sources (HCL Product Documentation)

• HCL Domino 14.0.0 – Cluster-safe, sprayable, single-server session cookies (DomAuthSessId): help.hcl-software.com/domino/14.0.0/admin/wn_domauthsessid.html