IBM Support

Disabling Domino redirectto URL argument

Technote (troubleshooting)


Problem

A phishing attacker sends an email with a link purporting to be to your website. It begins with your domain name, but employs the &redirectto argument to actually steer the user to their site if they click the link.

Diagnosing the problem

This feature is used legitimately to create authentication pages that on logout, redirect the user to another page onsite that doesn't require authentication. But for some high-security sites, the functionality may be problematic.

We are not giving a specific example here on the theory that one should avoid giving instructions on how to attack server security.


Resolving the problem

You can optionally disable the redirect functionality by adding the following line to the Domino server's notes.ini file:

DominoDisableRedirectTo=x

Where x can be:

    • 1: Ignore the RedirectTo parameter in both GET and POST requests. Warning: this setting will break Domino's session based authentication redirection.
    • 2: Ignore the query string RedirectTo parameter only in GET requests (to allow form-based POST authentication).


Document information

More support for: IBM Domino
Web Server

Software version: 8.5, 8.5.1, 8.5.2, 8.5.3

Operating system(s): AIX, AIX 64bit, IBM i, Linux, Linux iSeries, Linux zSeries, Solaris, Windows, Windows 64bit, i5/OS, z/OS

Software edition: Edition Independent

Reference #: 1578597

Modified date: 24 January 2012