I’m hosting applications on Galaxy and I’m wondering if it is possible to force the galaxy-sticky cookie to “secure”. I have my applications set to force SSL so I don’t believe that there is a significant security risk, however, this cookie is flagged in some of our security scans as non-compliant.
This just popped up for me - did you end up finding a fix?
No. I’ll submit a support ticket today and update this thread if we figure it it.
This is the response I received from MDG:
“Thanks for your patience here. While we’ll consider this as a feature request, it isn’t currently possible for you to alter the cookie. We don’t consider this to be a significant security risk, because while the cookie could be set for secure, it really makes no security difference, in terms of programmatic access to this cookie from JavaScript. While we recognize this was flagged in your security scans, this change wouldn’t meaningfully impact your security posture. As I said, however, we will consider this as a feature request. I hope this clarifies the situation, but please let me know if you have any questions about this.”
I put it on my todo list to learn a bit more about the security concerns around this cookie setting. For now, I’m satisfied with the answer I received.