Prevent passing Username and Password in URL in Domino web app

Windows Server
R7
Session Authentication enabled w/ custom login form

How does Domino process the following URL?

http://myserver.com/names.nsf?Login&Username=testusr&Password=pwd&LoginOptions=&RedirectTo=http://www.msn.com

I need to disable this type of redirect. Without the Username and Password params, my login form is used where i can strip the query string accordingly, but with those params in there, it appears my login form isn't being used and i don't know how Domino is processing this.

Thanks
Mike
mike_allredAsked:
Who is Participating?
 
mike_allredConnect With a Mentor Author Commented:
SOLUTION:

I opened a PMR and found out about the "DominoDisableRedirectTo" notes.ini variable introduced in R7.0.4 that "disables" the "RedirectTo" query string functionality.
0
 
mbonaciCommented:
The only difference when you enable session based authentication is that name & password are sent only once, at the beginning of client's session (and from then on stored in a cookie), but it's, nevertheless, sent unencrypted in the URL.

Read this:
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_SSL_AND_BASIC_PASSWORD_AUTHENTICATION_8792_OVERVIEW.html

The solution is to enable SSL:
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_ABOUT_SETTING_UP_SSL_ON_A_SERVER.html
0
 
mike_allredAuthor Commented:
Ok, let me clarify a bit.

We have an app in development.  Part of our development process is to do security scans and one of the items that was identified was the ability to redirect a user with the following URL:

http://myserver.com/names.nsf?Login&Username=testusr&Password=pwd&LoginOptions=&RedirectTo=http://www.msn.com

I need to disable/prevent this type of redirection.

What i know:  
1.  If i remove any part of "&Username" or "&Password", the url doesn't authenticate automatically and i get my custom login form where the redirect isn't processed.
2.  If i remove any part of "&RedirectTo", the url does authenticate but the redirect isn't processed.

What i don't know/what I would like to know:
1.  How does domino "process" this url to automatically log the user in and perform the redirect?  It doesn't seem to use my custom login form.
2.  Can i prevent this redirect behavior?

Hope this clarifies a bit more

Mike
0
 
mbonaciCommented:
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.