Configuring single or multiple-server attributes for SameSite session cookies

Configure an attribute for the SameSite session cookie to enable a Domino web server to assert that browsers can only send cookies that originate from the Domino server web site.

About this task

Use of the SameSite cookie attribute reduces the risk of cross-site request forgery (CSRF). You can configure the SameSite cookie in these documents in the Domino directory: Server document, Web Site document (single server), or Web SSO Configuration document (multiple servers). Alternatively, you can configure the attribute through a notes.ini server setting.

Choose one of these values for the attribute:
  • Strict Cookies are sent only when browsers directly access the web site of the Domino server from which the cookies originate.
  • Lax Cookies are sent when browsers directly or indirectly access the web site of the Domino server from which the cookies originate.
  • None Cookies are sent regardless of the web site from which the cookies originate. Requires that HTTPS be enabled.

Configuring the SameSite cookie attribute through the Domino directory

Procedure

  1. Find the SameSite cookie attribute field in the Web document you use:
    Document Location of field
    Server document Internet Protocols > Domino Web Engine tab, HTTP Sessions section
    Web Site document Domino Web Engine tab, HTTP Sessions section
    Web SSO Configuration document Basics tab, Token Configuration section
  2. For SameSite cookie attribute, select one of the following options:
    • Strict
    • Lax
    • None
    • Use browser default or INI setting. This setting is the default. Choose this setting if you configure the SameSite cookie through a notes.ini setting on the server or if you don't configure the SameSite cookie and let the browser determine the behavior.

Configuring the SameSite cookie attribute through a notes.ini setting

About this task

Use one of the following notes.ini settings to configure the SameSite cookie attribute on a web server. In addition, make sure that the SameSite cookie attribute field in the web server document is set to Use browser default or INI setting.
  • If you configure the web server through a Server document or a single-server Web Site document, use DOMINO_SAMESITE_SINGLESERVER=value
  • If you configure the web server through a Web SSO Configuration document, use DOMINO_SAMESITE_MULTISERVERSSO=value
where value is one of the following values representing the desired SameSite attribute:
Value SameSite attribute
1 Strict
2 Lax
3 None