A recent PCI scan for one of our live sites, based on OpenCart 3.0.2.0, resulted in this fail message with regards to PCI compliancy:
Insecure configuration of Cookie attributes
URL: https://www.megahome-distillers.co.uk/i ... /cart/edit
Port: tcp/443
Has anybody got a solution for this issue?
Looking at the developer's console, the website already uses secure http-only OCSESSID, hence my above question.
Attachments
developer console - Screenshot_2021-08-16_15-02-11.png (85.67 KiB) Viewed 1811 times
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
Could it be the issue of the OCSESSID being set twice in every response that is confusing the scanner?
It does indeed set it twice, e.g.
system/framework.php: setcookie('OCSESSID', 'xxxxxxxxxxxxxxxxxxx', '0', '/', '',true,true)'
catalog/controller/startup/session.php: setcookie('OCSESSID', 'xxxxxxxxxxxxxxxxxxx', '0', '/', '',true,true)'
However, the response header only comes back with one OCSESSID, and its value isn't changed!
system/framework.php: setcookie('OCSESSID', 'xxxxxxxxxxxxxxxxxxx', '0', '/', '',true,true)'
catalog/controller/startup/session.php: setcookie('OCSESSID', 'xxxxxxxxxxxxxxxxxxx', '0', '/', '',true,true)'
However, the response header only comes back with one OCSESSID, and its value isn't changed!
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
Who is online
Users browsing this forum: No registered users and 101 guests