Cookie without HttpOnly flag set

Found in

EPiServer.Forms 4.11.0

Fixed in

EPiServer.Forms 4.14.0

Created

May 21, 2018

Updated

Jun 12, 2018

Area

ViewMode rendering

State

Closed, Fixed and tested


Description

Step to reproduce.

1. Login to the CMS system using an end-user account.
2. Navigate to an installed Form.
3. Submit data.
4. Check cookies HttpOnly flag set.

Expected:
Should be set HttpOnly flag. If the HttpOnly attribute is set on a cookie, the cookie's value cannot be read or set by client-side JavaScript.

Actual:
The following cookie was issued by the application and does not have the HttpOnly flag set:
Set-Cookie: EPiForm_beff90c8-5786-4438-b7d9-3c3e5467d7e9_0990a564-3d58-4a12-b7d4-8911aeb4998c:user1={"formGuid":"beff90c8-5786-4438-b7d9-3c3e5467d7e9","submissionId":"dd3b5ee0-bc0f-406d-833e-e38405fafdd3","isFinalized":true}; path=/