HTTP Session Override will not work in TOTP configuration

embee · September 17, 2025, 5:16pm

Domino Version 12 and above
whatever Operating System, any browser version

Problem/Query:

The HTTP Session Override in the Domino Internet site documents works fine, until you decide to enable TOTP / MFA.

As soon as the TOTP configuration took place in the Internet site documents, Configuration document, ID-Vault and Security Policy setting, the Session Override in the Domino Internet site document will not work anymore. You cannot avoid the Session based login for mobile Traveler Clients, Basic Login is general not available.

Anybody else faced to this issue?

The use case is to secure any HTTP access beside the Traveler access on a Domino HTTP server with MFA.

I could only get rid of this by disabling any detail of TOTP configuration. But also the Internet site has to be reverted to Basic Authentication. What previously worked fine by the HTTP Session Override in the Domino Internet site documents without TOTP looks like permanently broken.

Thank you for any hint !
Mike

tristanhcl · September 18, 2025, 1:38pm

TOTP is a forms-based authentication. Once TOTP is enabled for the Traveler endpoint, any session override rules allowing basic authentication are ignored. This means that any client configured for the same endpoint that requires Basic authentication will no longer be able to authenticate. To support additional modes of authentication, consider configuring multiple web sites. Configuring the HCL Traveler server for TOTP authentication

embee · September 22, 2025, 3:43pm

Hello Tristanhcl

well - then we have a general issue. TOTP is supported for Traveler services only by the Verse App on mobile devices.

If we are faced to the fact that “any” Active Sync Client (iOS Mail, Genoa Transformer,…) needs to be connected, TOTP can not be used within a Traveler domain, lets call it: ‘traveler.acme.com’ for example. ‘traveler.acme.com’ will become an ‘unsafe’ domain, because traveler.acme.com/names.nsf or traveler.acme.com/homepage.nsf, as any other URL beside /traveler and /api, can not be blocked for non-TOTP access.
Because any URL traveler.acme.com/* beside /api and /traveler will be used for valid brute force attacks, user will be easily blocked out by Internet-lockout configured security (inetlockout.nsf). Attackers do not use i.e. /traveler URLs for a brute force attack, they use randomly URLs, i.e. /cgi or /names.nsf
If all the rest of URLs beside /api and /traveler may be configured to TOTP (with a general TOTP configuration with a working session override configuration for /api and /traveler) the security risk will be significant lower.

A different Hostname for Traveler services and ‘other’ URLs on the same server will not help:
A request to traveler.acme.com can be mapped to traveler.acme.com/traveler, but only for default. traveler.acme.com (without TOTP) will also reply a request for ‘traveler.acme.com/names.nsf’, but different as ‘webserver.acme.com/names.nsf’, that may be hosted on the same Domino.
webserver.acme.com/names.nsf will be safe because of TOTP.
traveler.acme.com/names.nsf will be unsafe because of Basic Auth!

Anyway the named URL webserver.acme.com/names.nsf might be redirected to something different. But this must be done for ANY possible URL, like for ‘/*’. Of cause this will include traveler.acme.com/traveler.
How can we this exclude '/traveler and ‘/api’. in a general ‘all-including’ redirection?
I can not find any reasonable way to secure this.

Thank you
Mike

embee · September 22, 2025, 3:47pm

Maybe any moderator would please adjust my typo in the title " HTTP Session Override will not word in TOTP configuration" to " HTTP Session Override will not work in TOTP configuration".

I can not adjust this anymore.

Thank you,
Mike

mnadalin · October 2, 2025, 9:03am

I had the same problem.
Internet site webmail.mydomain.com configured with Session authentication + Override session authentication rule for traveler access.
After configuring TOTP, the override rule wasn’t honored anymore. Even if the authentication of the internet site was just username+password.

The workaround I found wasn’t on Domino but on the reverse proxy. I’m using Apache 2.4.

After creating a new internet site traveler.mydomain.com with basic authentication, i modified the apache virtual site to fake the hostname for Traveler destination URLs, like so:

# proxy requests preserving original host
ProxyPreserveHost On
ProxyPass / http://192.168.100.2/ timeout=600
ProxyPassReverse / http://192.168.100.2/

# change host to traveler.mydomain.com
<LocationMatch "^(/servlet/traveler|/traveler.*|/Microsoft-Server-ActiveSync.*)$">
Require all granted
RequestHeader set Host traveler.mydomain.com
</LocationMatch>

Fabrice_Papirnyk · February 4, 2026, 11:59pm

I could make it work , after many tryings

indeed it seems that the “session override” documents have no effect anymore, none of them. Even if they are linked to web site docs without TOTP.
but I noticed that if you set the Authentication to “Disabled” (no “single server, no LTPA), in the Web Site doc, we fall back to plain old basic authentication with the old pop-up sign-in box. And my Verse app may still sync without TOTP.
I had also some troubles with the DOMCFG docs : in the mapping docs , it is not the title of internet site docs that one should fill in, but the full host name (traveler.mydomain. com). I think the documentation should be corrected.
I succeed on Domino 14.5 FP1 , that may help too, as I see some fixes in the FP1.

In the end, I could get on the same Domino server :

webmail access with TOTP
traveler access without TOTP
but each one must point to a different hostname