Cookies

**mprough** · 18 Mar 2019, 05:35 PM

THIS IS CROSS POSTED FOR CLARITY

I am recently getting a bunch of reports for

Details: SSL/TLS: Missing `secure` Cookie Attribute (NVT:1.3.6.1.4.1.25623.1.0.902661)
Version used: $Revision: 4686 $
References:CVSS v2 Vector: (Av:n/ac:l/au:n/c/i/a:n)
CVE: NOCVE
BID: NOBIDCERT:XREF:
URL:http://www.ietf.org/rfc/rfc2965.txt,...(OWASP-SM-002)

I have already supplied them this page https://www.zen-cart.com/content.php?317-cookies

I have received this fail from Carts 1.54 & PHP 5.6 as well as carts 1.5.5F & PHP 7.1.

My question is, since it seems to be raining these, is there a way to change the carts so that they are setting the 'secure' attribute?

###
I located the following in includes/init_includes/init_sessions.php

Code:

session_set_cookie_params(0, $path, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, TRUE);

Setting $secureFlag, FALSE resolved the headers reporting of HttpOnly ... The cart seems to function, are there any pitfalls to this? It's certainly a complicated area of functions and I want to make sure it won't mess anything up.

~Melanie

**DrByte** · 19 Mar 2019, 11:40 PM

Either of these combinations will set the 'secure' flag, since they cause the storefront to operate entirely with https URLs:

ENABLE_SSL = 'true'
HTTP_SERVER begins with https
HTTPS_SERVER begins with https

or

ENABLE_SSL = 'false'
HTTP_SERVER begins with https

**mprough** · 20 Mar 2019, 02:04 PM

The secure attribute is there, it's the httponly part they are referring to

**DrByte** · 21 Mar 2019, 03:37 PM

The secure attribute is there, it's the httponly part they are referring to

Good point.
It's ironic that their wording and related RFC docs all talk about the 'secure' flag, when their complaint is really about the 'httponly' flag (er, well PHP calls it httponly; it's really about the list of allowed "ports").

Setting httponly to true will indeed make the scans pass. But it will break all sessions on a site that isn't running entirely on https. And any javascript/ajax calls must also use https endpoints, so you'll need to review all plugins/addons/templates/scripts/etc to ensure they're working.

**mprough** · 21 Mar 2019, 03:40 PM

Alright =) I'll dive back in with them

**mprough** · 31 Mar 2019, 02:47 PM

I was able to get is marked false positive by sending them this (https://www.zen-cart.com/content.php?317-cookies) and a phone call

**mprough** · 30 Apr 2020, 01:53 PM

Just an update for this. According to cPanel, to fix this you set the following for the PHP version.

Code:

/etc/php.ini

session.cookie_httponly = True
session.cookie_secure=on

service httpd restart

Thread: Cookies

Thread Tools

Search Thread

Display

Cookies

Re: PCI Compliance/code injection

Re: PCI Compliance/code injection

Re: Cookies

Re: Cookies

Re: Cookies

Re: Cookies

Similar Threads

v151 Cookies

Cookies

cookies

Bookmarks

Bookmarks

Posting Permissions