Secure cookie missing HttpOnly and secure flag

Found in

EPiServer.CMS.Core 11.14.2

Fixed in

EPiServer.CMS.Core 11.15.1

Created

Mar 06, 2020

Updated

May 15, 2020

Area

CMS Core

State

Closed, Fixed and tested


Description

Prerequisite: In the config file, the user set <httpCookies httpOnlyCookies="true" requireSSL="true" /> .

Steps to reproduce

1) Open a new Incognito window.
2) Check both cookies EPi: NumberOfVisits, ASPNet Session cookie secure, and HTTPOnly flags.
3) Delete the ASPNet Session cookie.
4) Refresh the page.
5) The EPi: NumberOfVisits cookie doesn't have HttpOnly or Secure set.
6) All communication between the application and load balancer and servers is in https.