-
Task
-
Resolution: Done
-
L3 - Default
-
None
AT:
- for the Optimize cookie the secure and httponly flags are set
- the http connector can be disabled
- the http connector is disabled by default
- the client side (front-end) does not access the cookies any longer
- the cookie handling is fully handled on server side
- the configuration documentation in the technical guide is adjusted to changes in the configuration
Background:
- The HTTP-Only Flag prevents JavaScript from accessing the cookies!
- USE SECURE-Flag for cookies if you use HTTPS
- The two flags make it a lot harder to steal the cockie and with it the user session
- http is insecure and allows to record the whole conversation, e.g. steal session ids, username/passwords, if used in an untrusted environment
This is the controller panel for Smart Panels app
1.
|
Do not access cookie from client side |
|
Done | Unassigned |
2.
|
Set the secure flag for the Optimize cookie |
|
Done | Unassigned |
3.
|
Optimize http connector/connection can be disabled |
|
Done | Unassigned |
4.
|
Set the httpOnly flag for the Optimize cookie |
|
Done | Unassigned |