we've noticed that Yellowfin creates persistent cookie called IPID after login.
This cookie is both persistent(12 hours) and does not have HttpOnly index. This can be potentially dangerous as cookie can be taken and put into another browser, after that the system would automatically login.
Is there any way how to disable this functionality in YW administration or configuration file?
With best regards,
Hope you are well,
Sorry for the delay in responding to you, I have done some investigation in to your request and I can advise that there is a way for you to disable cookies being stored altogether. By default the cookie created when a user logs in to Yellowfin is only valid for seven days from the last time the user logs access there account. This period can be changed by setting the External API cookie timeout value in Administration > Configuration > Email. To disable the cookie altogether, set the value to 0.
If you do have any further questions please feel free to contact us.