cancel
Showing results for 
Search instead for 
Did you mean: 

Secure cookie flag

Secure cookie flag

Magento added a "Secure cookie flag" to 1.9.1.0 to prevent MITM attacks. This prevents one of our clients their shop to function when switched to a different storeview with a different domain over HTTPS.

 

The right SID is send to the shop which is works normal when the shop is not set to HTTPS on the frontend, however, once the request is in secure mode Magento does a "Secure cookie flag" check:

 

app/code/core/Mage/Core/Model/Session/Abstract/Varien.php

        if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) {
            // secure cookie check to prevent MITM attack
            $secureCookieName = $sessionName . '_cid';
            if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])
                && $_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName))
            ) {
                session_regenerate_id(false);
                $sessionHosts = $this->getSessionHosts();
                $currentCookieDomain = $cookie->getDomain();
                foreach (array_keys($sessionHosts) as $host) {
                    // Delete cookies with the same name for parent domains
                    if (strpos($currentCookieDomain, $host) > 0) {
                        $cookie->delete($this->getSessionName(), null, $host);
                    }
                }
                $_SESSION = array();
            }
            if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
                $checkId = Mage::helper('core')->getRandomString(16);
                $cookie->set($secureCookieName, $checkId, null, null, null, true);
                $_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId);
            }
        }

 When I removed this piece of code the webshop functions normally again, but this is not the most ideal solution. Am I missing some configuration so this function works properly or is this a bug?

1 REPLY

Re: Secure cookie flag

We also see this happening on a Magento CE 1.9.1.0 shop after switching to HTTPS.

 

It looks like the code referenced, upgrades the default 'frontend' cookie which isn't marked as 'secure' to a new 'frontend_cid' cookie which is secure. But in this process, it overwrites the original SID which comes from the other domainname.

 

We fixed it by installing this module: https://github.com/lukanetconsult/mage-secure-cookie which adds an option to mark the 'frontend' cookie as secure. So no additional 'frontend_cid' cookie is created because it doesn't go into the referenced code (because of the

empty($cookieParams['secure'])

 check).

 

I hope this doesn't introduce a new security issue, but I don't think so...

 

Hope this helps other people running into the same issue.