Reputation: 204
According to german BSI, Plone does not use secure cookies OOTB. How do I change that?
The BSI has published a Security Analysis of various CMS Systems. Plone was quite successful, but got negative points for OOTB security functionality.
Namely, no HTTPS by default and no secure cookies for Authentication OOTB. How can I change to secure cookies.
Upvotes: 2
Views: 218
Answers (2)
Reputation: 3293
BSI should be updated. Plone has always provided the ability to secure cookies OOTB. See How to set `secure` and `httpOnly` for Plones `__ac` cookie? for directions.
Upvotes: 0
Reputation: 9483
Yes, it can be done:
Given the prerequisite of using Plone over HTTPS, the following extra settings can be used for the cookie: 'HttpOnly' and 'Secure'. The easiest method to do this with the least impact is using the Apache mod_headers module, with the 'edit' action (available from Apache 2.2.4):
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
(source: http://plone.org/documentation/kb/securing-plone )
Upvotes: 3
Related Questions
- Manipulating cookies after sending response on Plone 4.3
- Logging into Plone site with credentials passed through HTTP
- How do you get and set cookies in Zope and Plone?
- Login with username and password in Plone
- How to export Plone session configuration?
- about security settings of plone control panel
- Setting expiring cookies in Plone
- How to setup Plone sites working only with OpenID
- Authentication from multi source in Plone 4?
- Redefining security for a browser view in Plone 4