It is also possible to pass other client information, such as a user name or the current database, from Notes to the Web client in this fashion, even though the Web agent is being accessed as an anonymous user. This information would otherwise be completely unavailable to the Web agent. Essentially, a second method of creating an agent context has been created, in addition to the DocumentContext available from the NotesSession class.

Creating a cookie
There are many different ways to create cookie values. One simple solution is to use the @unique formula function. It doesn't matter what formula is used, since the button or action which creates the cookie document in Notes also builds the URL with the cookie as a parameter. For extra security, an expiration date/time can be built in, which doesn't need to be any longer than the time between the button being pressed and the URL being processed by the Domino server.

A sample database, with code ready to try out, is available for downloading to accompany this article. All code is tested on R4.6 platforms and upwards, and is provided free of charge for you to play with, use, or modify. Get it from http://www.rhizomatics.demon.co.uk/software/nwauthen.zip.

Requirements
There are three major things you should keep in mind when you are creating cookies:

• First, the cookie creation code in the Notes form must make the Web agent call the number. As shown in the code samples later in the article, this can be incorporated even in a simple formula language button call to a URL.

• Secondly, the cookie-checking code in the Web agents of databases must require Web authentication. These databases must have anonymous access of Reader or greater, which is required for all Web users to run agents.

• Lastly, you must have a "cookie jar" database in which to store the cookie documents. This database must have default access of Depositor (to allow remote Notes clients to drop in cookie documents). Only one agent is required in this database -- the scheduled Expire Old Cookies agent used to purge stale cookies.

Performance
A scheduled hourly agent performs expiration of cookies in the sample database. It might seem more obvious to build the expiration test into the selection formula of the view, but this would create an unstable view, permanently in need of regenerating.

Further performance improvement can be achieved by changing the "Remove Documents not modified in the last" setting in the database Replication Settings to 0 days. This ensures you that when cookies are deleted, they disappear completely from the database and do not leave replication stubs behind.

Security
Since your Web users don't need any access to the cookie jar database (all access to cookies is performed by the Web agent) and Notes clients only require Depositor access to allow them to create a cookie, any Web client can check a cookie for validity. No Web client, however, can create or view a cookie, nor can a Notes client read current cookie values. Reader access is required for the signer of the Web agents (usually the Notes developer or an administrator who has used the Sign All Agents facility in Notes Administration), since by default agents are run with the signer as their effective user ID.