cancel
Showing results for 
Search instead for 
Did you mean: 

Need suggestions regarding "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"

Need suggestions regarding "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"

 

I need  expert comment/feedback on an issue which I am facing. I have PCI compliance report for one of the Magento site I am working on. (Magento 1.4.1.1).The report was generated using nexpose


The PCI report states following.
"Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"

Description : The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.

Report has mentioned following references OWASP-2010: A3   and  OWASP-2013: A2

Evidence for PCI compliance fail :
Cookie is not marked as secure:
'frontend=2tsnh10jssv89cg0a7n93bf4ji1
cmkn0; path=/; httponly;
domain=www.example.com'
URL: https://www.example.com/

Solution Suggested :
For each cookie sent over SSL in your web-site, add the "Secure" flag to the cookie.

So my question is,  Is it a high risk that must be handled to be fully PCI compliant?

I searched on stackoverflow.com and found following where is 'secure' tag in Magento cookie on SSL secure site? .

 

1) Do you think that the solution provided is good enough to overcome the issue?

2) Will upgrade to higher version of Magento help? (http://merch.docs.magento.com/ce/user_guide/content/magento/release-notes-ce-1.9.1.html)

 

If we switch from http connection to https connection that time no secure flag is there..


Thanks

---
Problem Solved Click Accept as Solution!:Magento Community India Forum
4 REPLIES 4

Re: Need suggestions regarding "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)&q

@Mukesh Tiwari 

Did you get any fixes for this?

 

Re: Need suggestions regarding "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)&a

Hi Smita,

Which version of Magento are you using?

This issues was fixed in the Magento 1.9.1 version. Visit the release notes https://docs.magento.com/m1/ce/user_guide/magento/release-notes-ce-1.9.1.html
and see the following section.

 

Security Enhancements
  • To change an administrator password from the Admin, you must first enter the existing password.
  • Customer passwords are no longer stored in clear text during registration.
  • Customers in the store can no longer see the names of other users, as had been reported in certain circumstances.
  • Added a secure cookie flag for the storefront to prevent man-in-the-middle attacks. There is no change to the Secure and Unsecure Web configuration options

You may check \app\code\core\Mage\Core\Model\Session\Abstract\Varien.php file for the code changes.


There is following code section

if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) {
    // secure cookie check to prevent MITM attack
    $secureCookieName = $sessionName . '_cid';
    if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
        if ($_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName))) {
            session_regenerate_id(false);
            $sessionHosts = $this->getSessionHosts();
            $currentCookieDomain = $cookie->getDomain();
            foreach (array_keys($sessionHosts) as $host) {
                // Delete cookies with the same name for parent domains
                if (strpos($currentCookieDomain, $host) > 0) {
                    $cookie->delete($this->getSessionName(), null, $host);
                }
            }
            $_SESSION = array();
        } else {
            /**
             * Renew secure cookie expiration time if secure id did not change
             */
            $cookie->renew($secureCookieName, null, null, null, true, null);
        }
    }
    if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
        $checkId = Mage::helper('core')->getRandomString(16);
        $cookie->set($secureCookieName, $checkId, null, null, null, true);
        $_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId);
    }
}

If you are on lower version of Magento you can update to higher version or you may have to extend this file in local code pool.

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

Re: Need suggestions regarding "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)&a

Hello @Mukesh Tiwari ,

The version is already upgraded and the same code is there,

still have the same issue.

 

Thank You.

Re: Need suggestions regarding "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)&a

Hi @smita_kagwade 

I am not getting it. What is your concern?
Do you want your site to be PCI compliant?

---
Problem Solved Click Accept as Solution!:Magento Community India Forum