I have Plone 4.3.2 (Zope 2.13.21) installed. As mentioned in the documentation (http://plone.org/documentation/kb/securing-plone) cookies should be secure
and httpOnly
with Zope 2.12 or higher.
Also note that the suggested patch has been included in Zope 2.12.0 b1, so Plone 4, which will use Zope 2.12 or higher, won't have this problem
But if I log in as admin (or another user that is defined at zope-root) the __ac
cookie is not secure
and not httpOnly
. If I log in as a user created in a site everything is fine. Is there a way to change this?
First off, to set cookie settings in Plone:
Then, as for root login, it depends on where you login.
Zope root does not implement a cookie plugin, it only logs in with basic auth. IMO, you should never have zope root accessible without first tunneling or using a VPN to get into it.
Finally, you can disable credentials_basic_auth plugin from your plone site.