About this task

Use of the SameSite cookie attribute reduces the risk of cross-site request forgery (CSRF). You can configure the SameSite cookie in these documents in the Domino directory: Server document, Web Site document (single server), or Web SSO Configuration document (multiple servers). Alternatively, you can configure the attribute through a notes.ini server setting.

Choose one of these values for the attribute:

• Strict Cookies are sent only when browsers directly access the web site of the Domino server from which the cookies originate.
• Lax Cookies are sent when browsers directly or indirectly access the web site of the Domino server from which the cookies originate.
• None Cookies are sent regardless of the web site from which the cookies originate. Requires that HTTPS be enabled.

Procedure

1. Find the SameSite cookie attribute field in the Web document you use:

Document	Location of field
Server document	Internet Protocols -> Domino Web Engine tab, HTTP Sessionssection
Web Site document	Domino Web Engine tab,HTTP Sessions section
Web SSO Configuration document	Basics tab, Token Configuration section

• Strict
• Lax
• None
• Use browser default or INI setting. This setting is the default. Choose this setting if you configure the SameSite cookie through a notes.ini setting on the server or if you don't configure the SameSite cookie and let the browser determine the behavior.

About this task

Use one of the following notes.ini settings to configure the SameSite cookie attribute on a web server. In addition, make sure that the SameSite cookie attribute field in the web server document is set to Use browser default or INI setting.

• If you configure the web server through a Server document or a single-server Web Site document, use DOMINO_SAMESITE_SINGLESERVER=value
• If you configure the web server through a Web SSO Configuration document, use DOMINO_SAMESITE_MULTISERVERSSO=value

Help on Help

All Help Contents

Help on Help