Hi there,
my company has gone through a penetration test, by an external security company and they reported that a couple of cookies were not using HttpOnly and Secure flags. The specific cookie is "__zlcmid" from Zendesk's web widget and we weren't able to find documentation on how to enable the aforementioned flags.
Can you please advise whether it is possible to set those two flags and how?
Thanks,
Franklin Dattein
How to set web widgets cookie to secure and httpOnly?
Hey Franklin! These flags can not be set for the __zlcmid cookie. For a little bit of background, this cookie is used to identify a Chat end-user and we have been using this cookie and its config for many years. Back then, all https websites were not a thing. And a common scenario was the main webpages used http, but checkout pages used https. So, we set the cookie as not-secured, so both https and http pages can see the same value of __zlcmid, maintaining the same Chat end-user identity when they move around the pages.
However, if you wish, you can use the Authenticated Chat Visitor feature for a secure visitor authentication. Using this means the __zlcmid cookie is not used at all.
The following 2 articles will give you more information on how to implement Authenticated Chat Visitor:
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.