Merative Ideas Portal

Shape the future of Merative!

We invite you to shape the future of Merative, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Post your ideas

Start by posting ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the Merative team to refine your idea

Help Merative prioritize your ideas and requests

The Merative team may need your help to refine the ideas so they may ask for more information or feedback. The offering manager team will then decide if they can begin working on your idea. If they can start during the next development cycle, they will put the idea on the priority list. Each team at Merative works on a different schedule, where some ideas can be implemented right away, others may be placed on a different schedule.

Receive notification on the decision

Some ideas can be implemented at Merative, while others may not fit within the development plans for the product. In either case, the team will let you know as soon as possible. In some cases, we may be able to find alternatives for ideas which cannot be implemented in a reasonable time.


Merative External Privacy Statement: https://www.merative.com/privacy

Add a new idea Subscribe
Status Delivered
Categories Social Program Management Platform
Created by Guest
Created on Jul 21, 2016

RELATED IDEAS

httponly attribute is not set by default on the jsessionid cookie OOTB

The httponly attribute on cookies tells the browser that the cookie should not be accessible in client side java script and should only be passed back and forth between the browser and server.

This is important for cookies that contain anything important such as the jsessionid. The session id, if accessed by an attacker, would allow the session to be hijacked, and is a common target for attackers.

Modern browsers will prevent access to this cookie in javascript if this attribute is set.

As such, we should set this by default in our web server configuration.

We would need to set this value by default and test that the functionality continues to work. Due to another issue (the use of the session variable to determine if the session has changed or not), this may break current application behavior. The details of the functionality which relies on this is here: http:cems.curamsoftware.com:8080/browse/TEC-11767?focusedCommentId=284803&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-284803

This should be addressed in a future release, both to fix the issue, and to aid us in having app scan reports with far less noise.

Customer Name ReturnToWorkSA
  • Attach files
  • Guest
    Reply
    |     Feb 15, 2021

    Hi Chris,
    We are pleased to inform you that your enhancement request has been delivered in the new release of IBM Social Program Management, version 7.0.11.0.

    The secure and httponly flags are now set correctly by default.

    Thank you for taking the time to share your ideas with us. We are now closing this request as delivered.

    Regards,
    Shane McFadden, SPM Offering Management team
    You can find more information on the request process here.

  • Guest
    Reply
    |     Aug 6, 2016

    Hi,

    We acknowledge that this is a valid enhancement request. It will be considered for inclusion in a future release of the product. Thank you for your interest in the Cúram product.

    Thanks,
    Eloise O'Riordan, Cúram SPM Offering Management team