Details
-
Improvement
-
Resolution: Won't Do
-
Neutral
-
None
-
None
-
None
-
None
Description
As seen in MGNLPN-250, cookies should have at least the httpOnly flag turned on. secure is also good to have, but only when running the site over HTTPS. The script we currently use to personalize which type tour is shown to a returning user doesn't set those flags. As it uses Javascript, it can't set the httpOnly. And while it could set the secure flag when it detects an https URL, it would be best if it respected the JCR configuration set in the filter since MGNLPN-250. For that reason it would be good to create that cookie with Java rather than JS.
Checklists
Acceptance criteria