Hi guys,
one of our high-profile customers is performing a security test on their BO XI 3.0 environment and receive a red flag for the cookies generated by Infoview not marked as secure:
"cookies issued by the application authentication process where not marked as secure. By marking a cookie as secure, a web browser will not leak the cookie over an insecure channel. It is recommended that, where possible, cookies be marked secure."
Moreover, they receive a warning stating that
"cookies issued by the application authentication process did not have a path set. By setting a path on a cookie, then that cookies exposure can be restricted to within the scope of the application. It is recommended that, where possible, the application be modified to set a path on all cookies."
This behaviour is reproducible on a standard HTTPS deployment of BO XI 3. Can it be changed through configuration?
An example for a cookie not set to Secure, valid for 365 days and path / is InfoViewPLATFORMSVC_COOKIE_CMS
Any suggestions would be much appreaciated.
Michael