Apex Code Development You need to sign in to do that
Don't have an account?
Jeyan Burns-Oorjitham How do I set the HttpOnly and Secure cookie attributes for a Customer Community user's oinfo and connect.sid cookies?
We recently had a security review of a Customer Community.
During the security review, the external security team identified that some cookies set during the community login process did not have the HttpOnly or Secure cookie attributes set.
The specific cookies in question were connect.sid and oinfo
How do we configure our Salesforce community to properly set the HttpOnly and Secure cookie attributes for these cookies?
During the security review, the external security team identified that some cookies set during the community login process did not have the HttpOnly or Secure cookie attributes set.
The specific cookies in question were connect.sid and oinfo
How do we configure our Salesforce community to properly set the HttpOnly and Secure cookie attributes for these cookies?
https://help.salesforce.com/articleView?id=000268571&language=en_US&type=1
Here's a quote of the information:
Secure Cookies
Why are certain cookies served from the salesforce.com domain not set as secure or set as persistent?
There are several cookies that the platform uses to enhance functionality which do not contain any session information. They cannot be used to gain access or escalate privilege if altered or accessed by an attacker. The session cookie "sid" is marked as secure and is non-persistent, i.e, the cookie is deleted when browser is closed.
Why is the session cookie not set with HTTP Only flag?
You can require HttpOnly cookies for your organization under Setup > Security Controls > Session Settings > Require HttpOnly attribute. This will set the HttpOnly attribute only for the SID session cookie.
Based on the above information, it appears there is not currently any way to set the HttpOnly or Secure attributes on the oinfo cookie.
Can someone else confirm that this is the case?