We're updating the issue view to help you get more done. 

Client cookies are not marked as secure and httpOnly

Description

Using `this.sessionCookie` allows to set the `secure` and `httpOnly` flags to `cfid` and `cftoken`, but if the Client store is set to Cookie, the Client cookies are not marked as httpOnly/secure. That breaks PCI Compliance.

Environment

None

Status

Assignee

Igal Sapir

Reporter

Igal Sapir

Labels

Fix versions

Priority

Major