Views:


Applies to Product - Power Pages

What’s happening?
The customer reported that certain cookies on their Power Pages site, specifically "ai_session" and "isDSTObserved," do not have the HttpOnly attribute set, which raises concerns about potential security risks such as script attacks and information theft.
 

Reason:
The absence of the HttpOnly attribute on the specified cookies is due to the current configuration of the Power Pages site, which does not consider these cookies as vulnerabilities.
 

Resolution:

  • Addition of the HttpOnly attribute to the cookies "ai_session" and "isDSTObserved" is not possible under the current settings.
  • Security risk from script attacks is considered low for these cookies, which is why the HttpOnly flag is not applied.
  • Continue operating with the current configuration as the risk is deemed acceptable.