V14.7.7 Upgrade- Session Fixation flaws related to user and anonymous ID cookies

Hi Team,

Post v14.7.7 CMS upgrade, we have performed security scans and found the flaws related to session fixation. Could you please let us know if we can delete these cookies at apache level ?

cookie name: ajs_anonymous_id and ajs_user_id

Looks like above mentioned cookies are introduced in Bloomreach v14.7.6/14.7.7

Thanks,
Yeshwanth.

I don’t think those are set by us…
you can check:

@machak

When we tried running maven archetype project (v14.7.7) developer edition. I can see these cookies. refer snapshot.

image1902×610 66 KB

Thanks,
Yeshwanth.