Try our conversational search powered by Generative AI!

securing the cookie


Something came up in our PEN testing, flagging the episerver forms cookies as insecure, as it is used without the 'secure' flag

I am talking about the EpiForm_guid_guid which is set when a form is submitted.

is there anyway to set this as secure?

I appreciate that its HttpOnly and there really isnt much other than the form guid and submissionid in there, but nonetheless it would be nice to get this removed from the pen test list.

I cant find any settings in the forms module config and I guess as we are using a slightly modified view for the form itself, tried using the same requireSsl that can be used on the epi login form with no luck.

is there anything else I can do?


Apr 08, 2021 7:42


If you add <httpCookies requireSSL="true" /> into the <system.web> part of your config that should mark the forms cookie (and most others) as secure.

Apr 08, 2021 11:40
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.