Parameter:
OIDC_LOGIN_COOKIE_DURATION_SECShort description: Sets how long (in seconds) the cookies that maintain the OIDC authentication state during the login flow between the Domino web server and the OIDC provider are valid. Default: 120 seconds (2 minutes).
Profile
Parameter | OIDC_LOGIN_COOKIE_DURATION_SEC |
Category | Security / TLS (OIDC / Web SSO) |
Component | Server (HTTP task) |
Available since | 14.0 |
Supported versions | 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | Integer 30–900 seconds — default: 120 (2 minutes) |
Description
During web login with OIDC (OpenID Connect, authorization code flow with PKCE), Domino redirects the user's browser to the OIDC provider (e.g., Keycloak, Azure AD, Okta). During this redirect, Domino must temporarily store the login state between the redirect to the IdP and the redirect back to the server — this happens via short-lived state cookies in the browser.
The parameter
OIDC_LOGIN_COOKIE_DURATION_SEC defines how long these state cookies are valid. The default of 120 seconds is sufficient for most environments, since the login flow is normally completed within a few seconds.Adjustment makes sense if:
- Shorter (e.g. 30–60 s): higher security — login flow must be completed faster, no "leaving the login page open" possible.
- Longer (e.g. 300–900 s): if the OIDC provider enforces an additional MFA challenge (e.g. push notification, hardware token) that takes longer on the user side; or with slow network connections.
The value does not affect the lifetime of the actual Domino session cookie after successful login — this is configured via the normal session authentication settings in the internet site document or server document.
Example configuration
OIDC_LOGIN_COOKIE_DURATION_SEC=300
Notes & pitfalls
- Values outside the range 30–900 are rejected by the HTTP task or reset to the default.
- Prerequisite: HTTP Bearer Authentication and web login with OIDC are activated in the relevant internet site document.
- Works only on Windows and Linux servers — web login with OIDC is not supported on other platforms.
- Change takes effect after HTTP task restart (
restart task http) or viaset config OIDC_LOGIN_COOKIE_DURATION_SEC=….
- In conjunction with
DEBUG_OIDCLogin=4, cookie problems can be traced in detail on the server console.
- If the value is too short, users see the error message "authentication state expired" or are sent into an endless redirect loop.
- With multiple Domino servers behind a web proxy: session affinity is mandatory so that the login flow is not split between two servers.
Sources (HCL Product Documentation)
- HCL Domino 14.5.1 – Configuring OIDC-based SSO for web users: help.hcl-software.com/domino/14.5.1/admin/secu_config_oidc_based_sso_for_web.html