Following a security audit we have a issue where the
cftoken have the expires set:
Set-Cookie: cfid=911de6b8-49f2-4ab2-9e03-ab8d3be23dcf;Path=/;Expires=Tue, 28-Apr-2048 21:16:39 GMT;HTTPOnly Set-Cookie: cftoken=0;Path=/;Expires=Tue, 28-Apr-2048 21:16:39 GMT;HTTPOnly
I’d like to set the
Expires bit to session or just omit it all together, so that when the browser closes the session ends. I can’t find anything that will allow me to do that.
Can anyone advise? Should I turn off the automatic session handling and set the cookies myself without the expires key?