I am running Umbraco 7.4.2.
I noticed that after logging in to the backend of our Umbraco installation using latest version of Chrome. I then press F12 to show the developer tools.
I noticed on any page in the backend, an XSRF-TOKEN cookie is created that does not have the httpOnly flag set! Yet in my web.config I have this setting
<system.web>
…
</system.web>
Since this setting in our web.config is site wide, why/how does XSRF-TOKEN cookie get created without the httpOnly flag being set?
Also, Is there a way to set the XSRF-TOKEN cookie as httpOnly and requireSSL= true?
Thanks
BTD
This is a companion discussion topic for the original entry at https://our.umbraco.com/forum/79650-xsrf-token-cookie-does-not-have-httponly-flag-set