Cookie issue is holding up a launch.
Permalink
We have ONE security vulnerability in our latest C5 install preventing us from getting permission to launch.
When it is scanned by our security folks, they come up with:
Quoth The Powers That Be: "... has decreed that no (organization) websites shall use persistent cookies except in very specific situations.
"Fix
"From a coding perspective, the only distinction between a session cookie and a persistent cookie is the 'Expires=' tag that specifies when a persistent cookie should expire. If a cookie has no 'Expires=' tag, then it is automatically interpreted as a session cookie. Removing the expiration date from the code that sets the cookie will change it to a session cookie."
Where do i find and how do i remove or override the code that generates the "Expires=" tag. Will that break concrete5?
When it is scanned by our security folks, they come up with:
Set-Cookie: CONCRETE5=9uvcif4shgtd1asoflmvdnp6l2; expires=Tue, 10-Jan-2017 18:39:29 GMT; path=/; HttpOnly Cache-Control: no-cache X-Fra...TRUNCATED...
Quoth The Powers That Be: "... has decreed that no (organization) websites shall use persistent cookies except in very specific situations.
"Fix
"From a coding perspective, the only distinction between a session cookie and a persistent cookie is the 'Expires=' tag that specifies when a persistent cookie should expire. If a cookie has no 'Expires=' tag, then it is automatically interpreted as a session cookie. Removing the expiration date from the code that sets the cookie will change it to a session cookie."
Where do i find and how do i remove or override the code that generates the "Expires=" tag. Will that break concrete5?
