Vulnerability in EPiServer.Forms
I've been looking for a while now trying to find out if there is a configuration change that will change visitor groups over from session based retention to cookie based.
I'm aware this can be done through custom visitor groups but i'm looking for a simpler solution.
I'm also looking for this, have you done any progress?
No progress unfortunately. I'd say custom visitor groups would be the way to go.
AFAIK there is no way to switch from session-based to just cookie. A few of the built-in visitor group criteria DO set a cookie (e.g. the "Number of Visits" criteria leaves the cookie "EPi:NumberOfVisits") but the collective persistance data per user is session only.
You probably have to develop a custom criteria that leaves a cookie containing the info you want. In addition, you'd need to develop your own storage for the actual persisted data. David Knipe and I had a discussion regarding this in the comments section over at http://www.david-tec.com/2015/09/cookie-drop-block-for-episerver/