Prevent passing Username and Password in URL in Domino web app

Windows Server
R7
Session Authentication enabled w/ custom login form

How does Domino process the following URL?

http://myserver.com/names.nsf?Login&Username=testusr&Password=pwd&LoginOptions=&RedirectTo=http://www.msn.com

I need to disable this type of redirect. Without the Username and Password params, my login form is used where i can strip the query string accordingly, but with those params in there, it appears my login form isn't being used and i don't know how Domino is processing this.

Thanks
Mike
mike_allredAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mbonaciCommented:
The only difference when you enable session based authentication is that name & password are sent only once, at the beginning of client's session (and from then on stored in a cookie), but it's, nevertheless, sent unencrypted in the URL.

Read this:
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_SSL_AND_BASIC_PASSWORD_AUTHENTICATION_8792_OVERVIEW.html

The solution is to enable SSL:
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_ABOUT_SETTING_UP_SSL_ON_A_SERVER.html
0
mike_allredAuthor Commented:
Ok, let me clarify a bit.

We have an app in development.  Part of our development process is to do security scans and one of the items that was identified was the ability to redirect a user with the following URL:

http://myserver.com/names.nsf?Login&Username=testusr&Password=pwd&LoginOptions=&RedirectTo=http://www.msn.com

I need to disable/prevent this type of redirection.

What i know:  
1.  If i remove any part of "&Username" or "&Password", the url doesn't authenticate automatically and i get my custom login form where the redirect isn't processed.
2.  If i remove any part of "&RedirectTo", the url does authenticate but the redirect isn't processed.

What i don't know/what I would like to know:
1.  How does domino "process" this url to automatically log the user in and perform the redirect?  It doesn't seem to use my custom login form.
2.  Can i prevent this redirect behavior?

Hope this clarifies a bit more

Mike
0
mbonaciCommented:
0
mike_allredAuthor Commented:
SOLUTION:

I opened a PMR and found out about the "DominoDisableRedirectTo" notes.ini variable introduced in R7.0.4 that "disables" the "RedirectTo" query string functionality.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Lotus IBM

From novice to tech pro — start learning today.