Skip to Content
0
Former Member
Feb 26, 2009 at 10:08 AM

Set Infoview cookies as "Secure"

161 Views

Hi guys,

one of our high-profile customers is performing a security test on their BO XI 3.0 environment and receive a red flag for the cookies generated by Infoview not marked as secure:

"cookies issued by the application authentication process where not marked as secure. By marking a cookie as secure, a web browser will not leak the cookie over an insecure channel. It is recommended that, where possible, cookies be marked secure."

Moreover, they receive a warning stating that

"cookies issued by the application authentication process did not have a path set. By setting a path on a cookie, then that cookies exposure can be restricted to within the scope of the application. It is recommended that, where possible, the application be modified to set a path on all cookies."

This behaviour is reproducible on a standard HTTPS deployment of BO XI 3. Can it be changed through configuration?

An example for a cookie not set to Secure, valid for 365 days and path / is InfoViewPLATFORMSVC_COOKIE_CMS

Any suggestions would be much appreaciated.

Michael