THIS IS CROSS POSTED FOR CLARITY
I am recently getting a bunch of reports for
Details: SSL/TLS: Missing `secure` Cookie Attribute (NVT:1.3.6.1.4.1.25623.1.0.902661)
Version used: $Revision: 4686 $
References:CVSS v2 Vector: (Av:n/ac:l/au:n/c/i/a:n)
CVE: NOCVE
BID: NOBIDCERT:XREF:
URL:http://www.ietf.org/rfc/rfc2965.txt,...(OWASP-SM-002)
I have already supplied them this page https://www.zen-cart.com/content.php?317-cookies
I have received this fail from Carts 1.54 & PHP 5.6 as well as carts 1.5.5F & PHP 7.1.
My question is, since it seems to be raining these, is there a way to change the carts so that they are setting the 'secure' attribute?
###
I located the following in includes/init_includes/init_sessions.php
Setting $secureFlag, FALSE resolved the headers reporting of HttpOnly ... The cart seems to function, are there any pitfalls to this? It's certainly a complicated area of functions and I want to make sure it won't mess anything up.Code:session_set_cookie_params(0, $path, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, TRUE);
~Melanie
Bookmarks