Our site is SSL secured site, and Magento 'secure' and 'unsecure' URL variables both point at https:// URL. However PCI audit indicated that cookies are unsecure. They want to see the 'secure' keyword when cookies are created via Set-Cookie in page header.
I see Magento uses this function in \shop\app\code\core\Mage\Core\Model\Cookie.php
if (is_null($secure)) {
$secure = $this->isSecure();
}
if (is_null($httponly)) {
$httponly = $this->getHttponly();
}
setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);
but I am not sure where value is isSecure() is coming from and why does not contain text 'secure'?
SetCookie in page header:
frontend=sj4j9kltv7nc00gk8s0i81koi3; expires=Thu, 06-Nov-2014 23:39:11 GMT;
path=/; domain=www.mydomaine.com; HttpOnly"
Launch Google Chrome and go to either WEB or CAWEB portal website. Press F12 (from Keyboard) to launch Developer Tools. Go to Application tab -> Cookies ( left Panel) and ensure the Secure column was ticked.
For the "Missing Secure Attribute in Encrypted Session (SSL) Cookie" message, configure the secure attribute in WebSphere Application Server: In the administrative console, click Server > all servers > <select server> > Session Management > Enable Cookies link > Restrict cookies to HTTPS sessions. Click Apply or OK.
A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can't access it easily. Insecure sites (with http: in the URL) can't set cookies with the Secure attribute.
Magento set secure cookies for admin only, try to install http://www.magentocommerce.com/magento-connect/secure-frontend-cookie.html module, it should help :)
If it does not help help just override isSecure
from Mage_Core_Model_Cookie
model, method:
public function isSecure()
{
return $this->_getRequest()->isSecure();
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With