Magento added a "Secure cookie flag" to 1.9.1.0 to prevent MITM attacks. This prevents one of our clients their shop to function when switched to a different storeview with a different domain over HTTPS.
The right SID is send to the shop which is works normal when the shop is not set to HTTPS on the frontend, however, once the request is in secure mode Magento does a "Secure cookie flag" check:
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) { // secure cookie check to prevent MITM attack $secureCookieName = $sessionName . '_cid'; if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY]) && $_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName)) ) { session_regenerate_id(false); $sessionHosts = $this->getSessionHosts(); $currentCookieDomain = $cookie->getDomain(); foreach (array_keys($sessionHosts) as $host) { // Delete cookies with the same name for parent domains if (strpos($currentCookieDomain, $host) > 0) { $cookie->delete($this->getSessionName(), null, $host); } } $_SESSION = array(); } if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) { $checkId = Mage::helper('core')->getRandomString(16); $cookie->set($secureCookieName, $checkId, null, null, null, true); $_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId); } }
When I removed this piece of code the webshop functions normally again, but this is not the most ideal solution. Am I missing some configuration so this function works properly or is this a bug?
We also see this happening on a Magento CE 1.9.1.0 shop after switching to HTTPS.
It looks like the code referenced, upgrades the default 'frontend' cookie which isn't marked as 'secure' to a new 'frontend_cid' cookie which is secure. But in this process, it overwrites the original SID which comes from the other domainname.
We fixed it by installing this module: https://github.com/lukanetconsult/mage-secure-cookie which adds an option to mark the 'frontend' cookie as secure. So no additional 'frontend_cid' cookie is created because it doesn't go into the referenced code (because of the
empty($cookieParams['secure'])
check).
I hope this doesn't introduce a new security issue, but I don't think so...
Hope this helps other people running into the same issue.