Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

where is 'secure' tag in Magento cookie on SSL secure site?

Our site is SSL secured site, and Magento 'secure' and 'unsecure' URL variables both point at https:// URL. However PCI audit indicated that cookies are unsecure. They want to see the 'secure' keyword when cookies are created via Set-Cookie in page header.

I see Magento uses this function in \shop\app\code\core\Mage\Core\Model\Cookie.php

if (is_null($secure)) {
            $secure = $this->isSecure();
        }
        if (is_null($httponly)) {
            $httponly = $this->getHttponly();
        }

        setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);

but I am not sure where value is isSecure() is coming from and why does not contain text 'secure'?

SetCookie in page header:

frontend=sj4j9kltv7nc00gk8s0i81koi3; expires=Thu, 06-Nov-2014 23:39:11 GMT; 
path=/; domain=www.mydomaine.com; HttpOnly"
like image 356
Mustapha George Avatar asked Nov 07 '14 02:11

Mustapha George


People also ask

How do I set a secure attribute for cookies?

Launch Google Chrome and go to either WEB or CAWEB portal website. Press F12 (from Keyboard) to launch Developer Tools. Go to Application tab -> Cookies ( left Panel) and ensure the Secure column was ticked.

How do I fix missing secure flag in SSL cookies?

For the "Missing Secure Attribute in Encrypted Session (SSL) Cookie" message, configure the secure attribute in WebSphere Application Server: In the administrative console, click Server > all servers > <select server> > Session Management > Enable Cookies link > Restrict cookies to HTTPS sessions. Click Apply or OK.

What is cookie with secure attribute?

A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can't access it easily. Insecure sites (with http: in the URL) can't set cookies with the Secure attribute.


1 Answers

Magento set secure cookies for admin only, try to install http://www.magentocommerce.com/magento-connect/secure-frontend-cookie.html module, it should help :)

If it does not help help just override isSecure from Mage_Core_Model_Cookie model, method:

public function isSecure()
{ 
    return $this->_getRequest()->isSecure(); 
}
like image 56
kuba_ceg Avatar answered Oct 12 '22 07:10

kuba_ceg