Mcafee PCI Compliance failing on Session ID cookie?

Question

I am attempting to obtain PCI compliance for my site but the Mcafee security scan has thrown a:

Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Channel

Drupal (default behavior) sets a session cookie when you simply arrive at the site. This is causing the problem. Clearly, the entire site shouldn't be under SSL; plenty of other sites set session cookies like this.

What gives?

re "what gives": what exactly are you asking here? – Aidan Fitzpatrick Sep 30 '10 at 16:06 — Aidan Fitzpatrick, Sep 30 '10 at 16:06

score 0 · Answer 1 · answered Apr 24 '10 at 02:11

What version of Drupal?

You might consider the Pressflow fork of Drupal, which backports some fixes from Drupal 7 to earlier versions. One of the notable ones is that it doesn't set a session cookie for anonymous users unless they actually need one. Assuming you don't need the cookies, you might be able to sidestep this whole problem.

Mcafee PCI Compliance failing on Session ID cookie?

1 Answers1