Insecure __cid cookie

I was looking through your web application in dev tools to see how it interacted with the API and noticed that there was an insecure cookie being set every second called __cid. I'm assuming it has something to do with application security (like preventing CSRF attacks) and is set on the client side since no network transactions set the cookie. I just wanted to potentially bring it to the attention of the development or operations teams in case that they were unaware that this cookie is configured to be allowed to send over insecure HTTP transactions in their production environment.

1reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Hey chasebrewsky ! Thanks for pointing that out! I checked with our developers on this, and they said that cookie is being set by the service we use to protect our logins:
    https://www.castle.io/
    Their latest version no longer sets this cookie at all, and when we upgrade to it, this will go away.

    But we appreciate the heads up on that!

    Like
Like Follow
  • 3 wk agoLast active
  • 1Replies
  • 52Views
  • 2 Following