Our site is SSL secured site, and Magento 'secure' and 'unsecure' URL variables both point at https:// URL. However PCI audit indicated that cookies are unsecure. They want to see the 'secure' keyword when cookies are created via Set-Cookie in page header. I see Magento uses this function in \shop\app\code\core\Mage\Core\Model\Cookie.php <pre class="prettyprint"><code>if (is_null($secure)) { $secure = $this->isSecure(); } if (is_null($httponly)) { $httponly = $this->getHttponly(); } setcookie($name, $value, $expire, $path, $domain, $secure, $httponly); </code></pre> but I am not sure where value is isSecure() is coming from and why does not contain text 'secure'? SetCookie in page header: <pre class="prettyprint"><code>frontend=sj4j9kltv7nc00gk8s0i81koi3; expires=Thu, 06-Nov-2014 23:39:11 GMT; path=/; domain=www.mydomaine.com; HttpOnly" </code></pre>

Magento set secure cookies for admin only, try to install http://www.magentocommerce.com/magento-connect/secure-frontend-cookie.html module, it should help :) If it does not help help just override <code>isSecure</code> from <code>Mage_Core_Model_Cookie</code> model, method: <pre class="prettyprint"><code>public function isSecure() { return $this->_getRequest()->isSecure(); } </code></pre>

where is 'secure' tag in Magento cookie on SSL secure site?

Our site is SSL secured site, and Magento 'secure' and 'unsecure' URL variables both point at https:// URL. However PCI audit indicated that cookies are unsecure. They want to see the 'secure' keyword when cookies are created via Set-Cookie in page header.

I see Magento uses this function in \shop\app\code\core\Mage\Core\Model\Cookie.php

if (is_null($secure)) {
            $secure = $this->isSecure();
        }
        if (is_null($httponly)) {
            $httponly = $this->getHttponly();
        }

        setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);

but I am not sure where value is isSecure() is coming from and why does not contain text 'secure'?

SetCookie in page header:

frontend=sj4j9kltv7nc00gk8s0i81koi3; expires=Thu, 06-Nov-2014 23:39:11 GMT; 
path=/; domain=www.mydomaine.com; HttpOnly"

How do I set a secure attribute for cookies?

Launch Google Chrome and go to either WEB or CAWEB portal website. Press F12 (from Keyboard) to launch Developer Tools. Go to Application tab -> Cookies ( left Panel) and ensure the Secure column was ticked.

How do I fix missing secure flag in SSL cookies?

For the "Missing Secure Attribute in Encrypted Session (SSL) Cookie" message, configure the secure attribute in WebSphere Application Server: In the administrative console, click Server > all servers > <select server> > Session Management > Enable Cookies link > Restrict cookies to HTTPS sessions. Click Apply or OK.

What is cookie with secure attribute?

A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can't access it easily. Insecure sites (with http: in the URL) can't set cookies with the Secure attribute.

Magento set secure cookies for admin only, try to install http://www.magentocommerce.com/magento-connect/secure-frontend-cookie.html module, it should help :)

If it does not help help just override isSecure from Mage_Core_Model_Cookie model, method:

public function isSecure()
{ 
    return $this->_getRequest()->isSecure(); 
}

where is 'secure' tag in Magento cookie on SSL secure site?

Tags:

http-headers

php

cookies

magento

Mustapha George

People also ask

1 Answers

kuba_ceg

Recent Activity

Donate For Us

where is 'secure' tag in Magento cookie on SSL secure site?

Tags:

http-headers

php

cookies

magento

Mustapha George

People also ask

1 Answers

kuba_ceg

Related questions

Recent Activity

Donate For Us