Parameter:
HTTP_SESSION_COOKIES_SECUREShort description: Adds the
Secure flag to HTTP session and LTPA cookies so that they are transmitted only over HTTPS connections.Profile
Parameter | HTTP_SESSION_COOKIES_SECURE |
Category | Security / TLS |
Component | Server |
Available since | 10.0 |
Supported versions | 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = off (default), 1 = enforce Secure flag (recommended) |
Description
Without the
Secure cookie attribute, browsers may send HTTP session cookies and LTPA tokens over unencrypted HTTP connections too – a classic attack vector for session hijacking on insecure networks. HTTP_SESSION_COOKIES_SECURE=1 forces Domino to set the Secure flag when creating cookies. As a result, browsers only transmit the cookies over HTTPS.Example configuration
HTTP_SESSION_COOKIES_SECURE=1
Notes & pitfalls
- Strongly recommended for all publicly accessible Domino servers.
- Prerequisite: the server or the upstream reverse proxy must actually be reachable over HTTPS – otherwise browsers discard the cookies and logins fail.
- Takes effect after an HTTP restart (
tell http restart).
- As a complement, enable
HTTPHSTSIncludeSubDomainsor the HSTS field in the Server document.