Post by earthgirlllc » Tue Jul 24, 2018 2:40 am

I'm trying to help a client pass a PCI scan, and we're down to one fail but I'm not sure how to address it. The site is on an active SSL for both admin and customer facing. This is the PCI flag we're getting:

Code: Select all

Non-Secure Session Cookies Identified
The website software running on this server appears to be setting session cookies without the Secure flag set over HTTPS connections. This means the session identifier information in these cookies would be transmitted even over unencrypted HTTP connections, which might make them susceptible to interception and tampering.
I've disputed this stating that we're definitely on an SSL for the client's domain only, and they're asking the following:

Code: Select all

Thank you for providing that information.  Can your organization confirm that organization can confirm that "PHPSESSID" and "default" are not session cookies but rather tracking cookies that have nothing to do with authentication to this system?
Can anyone help with this question? I appreciate it - thank you!

New member

Posts

Joined
Mon Apr 11, 2011 11:02 am

Post by straightlight » Tue Jul 24, 2018 4:16 am

OC version?

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by earthgirlllc » Tue Jul 24, 2018 4:18 am

I knew I forgot something - v2.3.0.2 using Journal Framework.

New member

Posts

Joined
Mon Apr 11, 2011 11:02 am

Post by straightlight » Tue Jul 24, 2018 5:16 am

OC v3.0.2.0 has been rebuilt regarding its engine and startup configuration files and even the 3.1.0.0a (alpha) release. If you run a PCI scan on those versions, can you confirm the same results?

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by earthgirlllc » Tue Jul 24, 2018 5:52 am

Hi, thanks for the response but I'm not sure I follow. This site is on v2.3.0.2, I just need to know what that session ID does and how to force it to be secure on this version.

New member

Posts

Joined
Mon Apr 11, 2011 11:02 am

Post by OSWorX » Tue Jul 24, 2018 2:19 pm

PHPSESSID and default are session cookies but not really used for authentication (e.g. against any other user data).
Want to have it secured (https) - change the code inside
../system/library/session.php

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by earthgirlllc » Wed Jul 25, 2018 1:47 am

Thank you!

New member

Posts

Joined
Mon Apr 11, 2011 11:02 am
Who is online

Users browsing this forum: No registered users and 39 guests