Developer forum

Forum » CMS - Standard features » Dynamicweb cookies

Dynamicweb cookies

E-mail notifications
Mario Santos
Reply
Posted on 01/03/2017 12:01:15

Hi,

Is there any DW setting to set the Dynamicweb and Dynamicweb.SessionVisitor cookies to be Http only? Also, is there a way to set DW cookies as secure?

https://www.screencast.com/t/8Q20G6Lj3fx

Thank you, Mário


Replies

 
Nicolai Pedersen
Posted on 01/03/2017 12:08:59
Reply

Hi Mario

It is not possible to set those cookies to httponly. Also you cannot set them to secure (which would make the cookie only work over https).

BR Nicolai

 
Mario Santos
Posted on 01/03/2017 12:28:09
Reply

Hi Nicolai,

We have a customer that ran the website into vulnerability analysis and pointed those 2 items (the website has https), can this be a feature request? Probably taking the secure atribute based on the http protocol and forcing other DW cookies to HTTP only?

BR, Mário

 
Nicolai Pedersen
Posted on 01/03/2017 12:46:25
Reply
This post has been marked as an answer

Hi Mario

Setting secure on https requests only kind of defeats its purpose. The purpose of the flag is to ONLY send the cookie if https is active. Meaning stuff will stop working (i.e. login) if the user is not on https.

We should add support for httponly by default - agree on that. Choosing cookies to be secure, requires some sort of configuration to implement.

Added to backlog, TFS#31103 for 9.3

You can create a notification subscriber that will change the cookie flags if needed.

Votes for this answer: 1
 
Mario Santos
Posted on 01/03/2017 13:00:42
Reply

Thank you Nicolai!

 
Jacob Bertelsen
Posted on 06/06/2017 10:51:31
Reply

Hi Nicolai,

I assume this issue is still slated for 9.3 .
Will it be for the 9.3-release, or a specific subversion of 9.3? :)

 
Nicolai Pedersen
Posted on 06/06/2017 22:51:35
Reply

9.3.0 is its schedule.

 

You must be logged in to post in the forum