Webmail - Can I do anything to stop this? 1

[mizzy]

Hi,

I have got web mail up and running on my Lotus 5.0.8 domain.

Users can access their mail from anywhere on the planet.

However, the browsers(used by staff) caches the users login deatils and if someone(in the cyber cafe in Paris, or wherever) opens up the url to the users mail box and clicks on the user name field the password field is automatically filled in! Hey presto trouble!

I have searched high and low for a solution to this problem but cannot find it anywhere. As I say some of my users will be on vacation and for some reason(boredom) will try to read their mail from a browser in the local cyber cafe.

Its a huge security risk but noone has said how to actually solve the problem. I've just read postings about "Oh just turn off auto complete"!!!

Is there some setting in Domino that says "I know you are using cached details to login, you cannot, get lost"

Many thanks,
This is driving me nuts.
Regards

 

[MarkhP]

If you are concerned about security you should be using a newer version of Notes (bug fixes etc).

Whats new in Notes Web Access7
New configuration settings available to the administrator include an option to disallow access to mail attachments and the ability to force a user logout when all Lotus Domino Web Access windows are closed. This includes clearing the browser cache and system temporary files directory so that no user data is left behind.

"mxtreme" mail firewall also auto clears the cache

HTH

 

[mizzy]

Mark, yes, I'm concerned about security.
However my company decided that once we got to 5.0.8 not to renew the lotus licenceing, so .......

Does anything spring to mind that I can use in 5.0.8.
Is there anything in domcfg.nsf? Am I stuffed like the turkey?

Many thanks for your help & patience
Regards,

 

[MarkhP]

I think you are about as stuffed as me after christmas turkey lunch with extra stuffing (thats bad in more ways than one).

Maybe you can look at doing something with Windows directory security to force additional authentication?. Can you maybe use SSL? Other than that, I dont know of anything that natively Notes can offer. Sorry.

 

[mizzy]

Mark,

Found it!
Create a database called domcfg.nsf using the domcfg5.ntf template. Domcfg.nsf allows you to configure your own webmail login page(Company logo's etc)
Edit this database and open the properties of the username or password field(which are created by default).
Find the HTML Attributes setting, by default it says "maxlength=256". Change this to
"maxlength=256 autocomplete=off". This will stop the browser from using autocomplete during that session.

Like you I thought that by using SSL(port 443) was enough to protect the session, but all it does is encrypt the session data.

Cheers and go easy on the stuffing!
p.s. For other searchers, browser remembers password problem

 

[MarkhP]

Well done!
I will remember that one for reference. We use iwareredir.nsf to login and redirect but we use a VPN for all external connects so this never was an issue for us. Have a star for answering your own post!

 

[Troodos]

DOMCFG.nsf will work even better if you enable SINGLE SERVER authentification in the server document, then it will be potential to make your server even safer (It depends on YOUR settings of course...). Timeouts etc can be set on the same pages. Look into the 2 following tabs in the server document:

Internet protocols | HTTP
Internet protocols | Web Engine

TrooDOS