I have Plone 4.3.2 (Zope 2.13.21) installed. As mentioned in the documentation (http://plone.org/documentation/kb/securing-plone) cookies should be secure
and httpOnly
with Zope 2.12 or higher.
Also note that the suggested patch has been included in Zope 2.12.0 b1, so Plone 4, which will use Zope 2.12 or higher, won't have this problem
But if I log in as admin (or another user that is defined at zope-root) the __ac
cookie is not secure
and not httpOnly
. If I log in as a user created in a site everything is fine. Is there a way to change this?