compatInsecureCookieDefaults

Release 1.4 - ...

As of iXperion 1.4 build 11, the defaults when writing a Http cookie to the client has been changed:

  • The HttpOnly property will be set to true, unless the cookie has been created with httpOnly = false explicitly.

    This means that by default, cookies are not accessible by client-side script.
    When you need client-side access to a cookie, use e.g. an overload of the response.setcookie() viper which exposes the httpOnly setting and set it to false.

  • The Secure property will be set to true whenever the incoming request is on a secure channel (i.e. SSL).

    This means that by default, cookies which are created during an incoming request on a secure channel (SSL) will only be transmitted using Secure Sockets Layer, that is, over HTTPS only.
    To force a cookie to be transmitted over HTTPS only, whether or not the incoming request is on a secure channel, use e.g. an overload of the response.setcookie() viper which exposes the secure setting and set it to true.

    When dealing with a mixed environment (http | https), you might need to use an overload of the response.setcookie() viper which exposes the secure setting and set it to false to make sure the cookie is available through both http and https.

The compatibility setting compatInsecureCookieDefaults has been introduced to revert to the previous behaviour.

Notice it is also possible to set the transmission of cookies using SSL for an entire application. To enable this feature, create/adjust the httpCookies element within the web.config.