Article Details
| Id: | 17751 |
| Product: | finPOWER Connect Cloud |
| Type: | NEW |
| Version: | 3.03.05.15 |
| Opened: | 18/01/2021 |
| Closed: | 19/01/2021 |
| Released: | 26/02/2021 |
| Job: | J025785 |
Security Review; finCC_SessionId Cookie now has HttpOnly flag set
The Session Cookie used by finPOWER Connect Cloud (finCC_SessionId) could be read from JavaScript code, e.g.:
window.alert(document.cookie);
This Cookie is now flagged as "HttpOnly" (as viewable in the Chrome developer console, Application tab) meaning that it can no longer be read from JavaScript.
NOTE: Other Cookies such as "_highDpi" are still viewable since these are not security-related.