Parameter:
WebSSO_Force_HTTPSShort description: Forces WebSSO LTPA cookies to be set and accepted only over HTTPS (
Secure flag).Profile
Parameter | WebSSO_Force_HTTPS |
Category | Security / TLS |
Component | Server |
Available since | 10.0 |
Supported versions | 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = HTTP also allowed, 1 = HTTPS only (recommended) |
Description
WebSSO typically uses LTPA or Domino auth tokens that are stored in the browser as cookies. With
WebSSO_Force_HTTPS=1, Domino sets the Secure attribute, so browsers transmit the cookie only over TLS-encrypted connections – a fundamental safeguard against session hijacking in open networks.In production environments the value should almost always be
1.Example configuration
WebSSO_Force_HTTPS=1
Notes & pitfalls
- Only works if HTTPS is active on all participating servers (otherwise users will be logged out).
- Combines with
LTPA_TokenName,WebSSO_Token_*, and the cookie domain in the WebSSO configuration document.
- In mixed setups (HTTP + HTTPS vhost), test carefully.
- A reverse proxy must set
X-Forwarded-Protocorrectly.
- The change takes effect after restarting the HTTP task (
tell http restart).