I’ve searched the forums and the issue tracker and have not managed to get to the bottom of this. I am scanning my server for vulnerabilities for the purposes of PCI DSS compliance and I am getting errors relating to HttpOnly cookies.
This appears to have been half addressed as the session (sid) cookie is now set to be HttpOnly, however there are other cookies being set that are not HttpOnly. The cookies ‘redirect’ and ‘testing’ are set at the login screen (even before login).
Is there a way to either disable these or set them to HttpOnly?
Thanks in advance.