Post by earthgirlllc » Tue Jul 24, 2018 2:40 am

I'm trying to help a client pass a PCI scan, and we're down to one fail but I'm not sure how to address it. The site is on an active SSL for both admin and customer facing. This is the PCI flag we're getting:

Code: Select all

Non-Secure Session Cookies Identified
The website software running on this server appears to be setting session cookies without the Secure flag set over HTTPS connections. This means the session identifier information in these cookies would be transmitted even over unencrypted HTTP connections, which might make them susceptible to interception and tampering.
I've disputed this stating that we're definitely on an SSL for the client's domain only, and they're asking the following:

Code: Select all

Thank you for providing that information.  Can your organization confirm that organization can confirm that "PHPSESSID" and "default" are not session cookies but rather tracking cookies that have nothing to do with authentication to this system?
Can anyone help with this question? I appreciate it - thank you!

New member

Posts

Joined
Mon Apr 11, 2011 11:02 am

Post by straightlight » Tue Jul 24, 2018 4:16 am

OC version?

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

F. Rules:

- viewtopic.php?f=176&t=200480
- viewtopic.php?f=176&t=200804


Regards,
Straightlight


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by earthgirlllc » Tue Jul 24, 2018 4:18 am

I knew I forgot something - v2.3.0.2 using Journal Framework.

New member

Posts

Joined
Mon Apr 11, 2011 11:02 am

Post by straightlight » Tue Jul 24, 2018 5:16 am

OC v3.0.2.0 has been rebuilt regarding its engine and startup configuration files and even the 3.1.0.0a (alpha) release. If you run a PCI scan on those versions, can you confirm the same results?

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

F. Rules:

- viewtopic.php?f=176&t=200480
- viewtopic.php?f=176&t=200804


Regards,
Straightlight


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by earthgirlllc » Tue Jul 24, 2018 5:52 am

Hi, thanks for the response but I'm not sure I follow. This site is on v2.3.0.2, I just need to know what that session ID does and how to force it to be secure on this version.

New member

Posts

Joined
Mon Apr 11, 2011 11:02 am

Post by OSWorX » Tue Jul 24, 2018 2:19 pm

PHPSESSID and default are session cookies but not really used for authentication (e.g. against any other user data).
Want to have it secured (https) - change the code inside
../system/library/session.php

Forum Rules [en]: viewtopic.php?f=176&t=200480
Forumregeln [de]: viewtopic.php?f=37&t=114208
Commercial Request: viewforum.php?f=88

Image


User avatar
Expert Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by earthgirlllc » Wed Jul 25, 2018 1:47 am

Thank you!

New member

Posts

Joined
Mon Apr 11, 2011 11:02 am
Who is online

Users browsing this forum: No registered users and 7 guests