问题
The BSI has published a Security Analysis of various CMS Systems. Plone was quite successful, but got negative points for OOTB security functionality.
Namely, no HTTPS by default and no secure cookies for Authentication OOTB. How can I change to secure cookies.
回答1:
Yes, it can be done:
Given the prerequisite of using Plone over HTTPS, the following extra settings can be used for the cookie: 'HttpOnly' and 'Secure'. The easiest method to do this with the least impact is using the Apache mod_headers module, with the 'edit' action (available from Apache 2.2.4):
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
(source: http://plone.org/documentation/kb/securing-plone )
回答2:
BSI should be updated. Plone has always provided the ability to secure cookies OOTB. See How to set `secure` and `httpOnly` for Plones `__ac` cookie? for directions.
来源:https://stackoverflow.com/questions/17193366/according-to-german-bsi-plone-does-not-use-secure-cookies-ootb-how-do-i-change