Something came up in our PEN testing, flagging the episerver forms cookies as insecure, as it is used without the 'secure' flag
I am talking about the EpiForm_guid_guid which is set when a form is submitted.
is there anyway to set this as secure?
I appreciate that its HttpOnly and there really isnt much other than the form guid and submissionid in there, but nonetheless it would be nice to get this removed from the pen test list.
I cant find any settings in the forms module config and I guess as we are using a slightly modified view for the form itself, tried using the same requireSsl that can be used on the epi login form with no luck.
is there anything else I can do?
If you add <httpCookies requireSSL="true" /> into the <system.web> part of your config that should mark the forms cookie (and most others) as secure.