Using raw HTTP to access restricted Domino areas

Posted on by Johan Känngård

UPDATED 2002-11-03 – The Java code in the attached file contained some errors.

When using other clients than a web browser, you have to know how Domino authentication works. This is a very short description on how to login, access a restricted area, and logout using raw HTTP. With raw HTTP, I mean using a terminal emulator, a HTTP-sniffer or socket programming.

Login

To login, you have to post the username and password to /?Login, by making this request (please note that the empty linefeeds are required): 

POST /?Login HTTP/1.1 Host: server.com Content-Type: application/x-www-form-urlencoded Content-Length: [the length of Username=x&Password=y] Username=x&Password=y

The Host, Content-Type and Content-Length headers are required. The POST data must contain the Username and Password fields. Please note that the data must be URL-encoded before POST:ed.

This is an example of the response from the server: 

HTTP/1.1 302 Found Server: Lotus-Domino/5.0.1 Date: Mon, 28 Oct 2002 22:06:19 GMT Location: http://server.com/ Connection: close Content-Base: http://server.com/?Login Content-Type: text/html Set-Cookie: DomAuthSessId=41D3D0110BA61CB171B345F147C089BD; path=/

In the result, the Set-Cookie header sets the DomAuthSessId, that is also stored internally in Domino together with the username previously specified in the post. This cookie from this point always be a part of every request to restricted Domino areas.

Restricted operation

The cookie you received when logging in, must be sent with the request, so that the server knows who is making the request: 

GET /mysecretdatabase.nsf HTTP/1.1 Host: server.com Cookie: DomAuthSessId=41D3D0110BA61CB171B345F147C089BD

Of course, headers like User-Agent, Accept etc. should be sent, but this is just a short example…

Logout

When you want to end your Domino session, you make a GET to /?Logout with the Cookie header set to the same value as you got when logging in: 

GET /?Logout HTTP/1.1 Host: server.com Cookie: DomAuthSessId=41D3D0110BA61CB171B345F147C089BD

Example of the response: 

HTTP/1.1 302 Found Server: Lotus-Domino/5.0.9 Date: Tue, 29 Oct 2002 16:15:21 GMT Location: http://server.com/ Connection: close Content-Base: http://server.com/?Logout Content-Type: text/html Set-Cookie: DomAuthSessId=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/

Attached to this article, you will find some useful methods in Java that can help you construct the POST:s and GET:s above. Maybe I´ll show you how to create sockets and use these methods later on. :-)