Problem

* The VIDUSR cookie sent by the administration port (8090) is not set as secure and HttpOnly, causing it to be flagged by a security auditor.

Resolution

-- This can be fixed by editing the Protect Management Interfaces policy on your admin node manager(s) as follows:

1. Open the node manager's configuration in policy studio /apigateway/conf/fed/configs.xml
2. Browse to the policy "Protect Management Interfaces"
3. Open the filter "Create Session"
4. Switch on the settings "Session sent over SSL only" and "HTTP Only cookie"
   
   
   
   
   
5. Restart the node manager
6. Connect to 8090 and confirm that the cookie is now sent correctly.