cancel
Showing results for 
Search instead for 
Did you mean: 

Need suggestions regarding "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"

Need suggestions regarding "Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"

 

I need  expert comment/feedback on an issue which I am facing. I have PCI compliance report for one of the Magento site I am working on. (Magento 1.4.1.1).The report was generated using nexpose


The PCI report states following.
"Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)"

Description : The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.

Report has mentioned following references OWASP-2010: A3   and  OWASP-2013: A2

Evidence for PCI compliance fail :
Cookie is not marked as secure:
'frontend=2tsnh10jssv89cg0a7n93bf4ji1
cmkn0; path=/; httponly;
domain=www.example.com'
URL: https://www.example.com/

Solution Suggested :
For each cookie sent over SSL in your web-site, add the "Secure" flag to the cookie.

So my question is,  Is it a high risk that must be handled to be fully PCI compliant?

I searched on stackoverflow.com and found following where is 'secure' tag in Magento cookie on SSL secure site? .

 

1) Do you think that the solution provided is good enough to overcome the issue?

2) Will upgrade to higher version of Magento help? (http://merch.docs.magento.com/ce/user_guide/content/magento/release-notes-ce-1.9.1.html)

 

If we switch from http connection to https connection that time no secure flag is there..


Thanks

---
Problem Solved Click Accept as Solution!:Magento Community India Forum
Tags (1)