Hi All,
I've been banging my head against this one for a couple days now. We are running Confluence Server behind an Apache Reverse Proxy and require Security Scans to clear our applications for operation.
I have a 'Medium' level Vulnerability 'Cookie Security: Persistent Cookie' that is being flagged against the cookies 'confluence-language' & 'confluence.browse.space.cookie'. This is caused by the Expiry/Max-Age directives in the Set-Cookie Header. I need to remove or alter these directives from the cookie to change these into Session Cookies rather than Persistent Cookies. I understand that these are not Authentication Cookies and just store language selections and most recently visited page however we are attempting to enforce best practices...
I have tried adding the following line to httpd.conf, however this doesn't seem to have any effect as the original Max-Age directive remains in the cookie Header:
"Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure"
Any suggestions would be much appreciated.
