PCI & Session Cookies issue
Posted: Tue Jul 24, 2018 2:40 am
I'm trying to help a client pass a PCI scan, and we're down to one fail but I'm not sure how to address it. The site is on an active SSL for both admin and customer facing. This is the PCI flag we're getting:
I've disputed this stating that we're definitely on an SSL for the client's domain only, and they're asking the following:
Can anyone help with this question? I appreciate it - thank you!
Code: Select all
Non-Secure Session Cookies Identified
The website software running on this server appears to be setting session cookies without the Secure flag set over HTTPS connections. This means the session identifier information in these cookies would be transmitted even over unencrypted HTTP connections, which might make them susceptible to interception and tampering.Code: Select all
Thank you for providing that information. Can your organization confirm that organization can confirm that "PHPSESSID" and "default" are not session cookies but rather tracking cookies that have nothing to do with authentication to this system?