Post by HAO » Sun Aug 23, 2020 12:40 am

I have 4 computers, I also use my mobile device to test checkout. Samsung Galaxy A70

No problems occurred in all processes, Do you think it is caused by other cookie files that I use?

For example, using Facebook or Google cookie files?

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by ADD Creative » Sun Aug 23, 2020 12:50 am

I would doubt it. They will only be used by Facebook or Google, I can't see that your payment extension would use them. You could always try disabling them.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by ADD Creative » Thu Sep 10, 2020 8:32 pm

A few issues with your solution.

In system/library/session.php your session_set_cookie_params has the domain hardcoded. You should not set the domain at all or a the very least use ini_get('session.cookie_domain').

config/phpmailer/get_oauth_token.php is not part of OpenCart.

You are setting httponly of the language, tracking and currency cookies for PPH 7.3+ where this was not set before. Just be aware there could be rare cases where an extension or theme accesses them via JavaScript.

You might also want to mention most sites won't be affected, only sites where a payment gateway returns with a POST. Making the changes necessarily would lose the the security benefits.

Also the changes will be completely different for OpenCart 3.x and 1.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by fegdeed » Tue Jan 12, 2021 2:27 pm

HAO wrote:
Fri Aug 14, 2020 12:34 am
Open
system/library/session.php

Find

Code: Select all

			setcookie($key, $this->session_id, ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'), ini_get('session.cookie_secure'), ini_get('session.cookie_httponly'));
Replace

Code: Select all

			setcookie($key, $this->session_id, ['expires' => ini_get('session.cookie_lifetime'), 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true, 'httponly' => ini_get('session.cookie_httponly')]);
Find

Code: Select all

		setcookie($key, '', time() - 42000, ini_get('session.cookie_path'), ini_get('session.cookie_domain'));
Replace

Code: Select all

		setcookie($key, '', ['expires' => time() - 42000, 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true]);
I could not find this code in system/library/session.php for Opencart 3.0.2 Default theme....Is there another file it should be placed in?

Active Member

Posts

Joined
Fri Sep 21, 2018 12:01 am

Post by ADD Creative » Tue Jan 12, 2021 8:37 pm

fegdeed wrote:
Tue Jan 12, 2021 2:27 pm
I could not find this code in system/library/session.php for Opencart 3.0.2 Default theme....Is there another file it should be placed in?
For OpenCart 3.0.x and PHP 7.3 try.
viewtopic.php?f=202&t=219633#p797082

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by fegdeed » Tue Jan 12, 2021 9:43 pm

ADD Creative wrote:
Tue Jan 12, 2021 8:37 pm
fegdeed wrote:
Tue Jan 12, 2021 2:27 pm
I could not find this code in system/library/session.php for Opencart 3.0.2 Default theme....Is there another file it should be placed in?
For OpenCart 3.0.x and PHP 7.3 try.
viewtopic.php?f=202&t=219633#p797082
Thank you @ADD Creative, I tried that but only OCSESSID cookies shows secure, both language and currency cookies show Same-site connections only.

Attachments

currency.png

currency.png (15.68 KiB) Viewed 187 times

language.png

language.png (15.71 KiB) Viewed 187 times

OCSESSID.png

OCSESSID.png (14.82 KiB) Viewed 187 times


Active Member

Posts

Joined
Fri Sep 21, 2018 12:01 am

Post by ADD Creative » Tue Jan 12, 2021 10:26 pm

Did you try the changes in linked post at the bottom? viewtopic.php?f=190&t=216579&start=20#p796020 Just ignore the session setcookie $key cookie changes and do the language and currency ones.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by fegdeed » Tue Jan 12, 2021 11:21 pm

ADD Creative wrote:
Tue Jan 12, 2021 10:26 pm
Did you try the changes in linked post at the bottom? viewtopic.php?f=190&t=216579&start=20#p796020 Just ignore the session setcookie $key cookie changes and do the language and currency ones.
Yes @ADD Creative, thank you...it looks like it was cached in the browser lol...
Everything is showing secure now :) .

Active Member

Posts

Joined
Fri Sep 21, 2018 12:01 am
Who is online

Users browsing this forum: No registered users and 37 guests