3

I need expert comment/feedback on an issue which I am facing. I have PCI compliance report for one of the Magento site I am working on. (Magento 1.4.1.1).The report was generated using nexpose

The PCI report states following.

Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)

Description:

The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.

Report has mentioned following references OWASP-2010: A3 and OWASP-2013: A2

Evidence for PCI compliance fail:

Cookie is not marked as secure:

'frontend=2tsnh10jssv89cg0a7n93bf4ji1
cmkn0; path=/; httponly;
domain=www.example.com'
URL: https://www.example.com/

Solution Suggested:

For each cookie sent over SSL in your web-site, add the "Secure" flag to the cookie.

So my question is, is it a high risk that must be handled to be fully PCI compliant?

I searched on SO and found following where is 'secure' tag in Magento cookie on SSL secure site? .

1) Do you think that the solution provided is good enough to overcome the issue?

2) Will upgrade to higher version of Magento help?

As in the release notes we have following statement :

Added a secure cookie flag for the storefront to prevent man-in-the-middle attacks. There is no change to the Secure and Unsecure Web configuration options.

If we switch from http to https connection that time no secure flag is there..

Mukesh
  • 7,630
  • 21
  • 105
  • 159
  • This site is for programming questions, we are not lawyers and not here to interpret licensing agreements. – Marc B Oct 23 '15 at 19:31
  • 1
    Regardless of the compliance issue, serving a session cookie like “frontend” without ‘secure’ is a real security risk, as it allows man-in-the-middle attacks to defeat HTTPS. – bobince Oct 25 '15 at 12:10

1 Answers1

2

As explained here: http://blog.elementps.com/element_payment_solutions/2013/12/new-pci-dss-session-management-requirements-.html

New PCI DSS requires https cookies to be marked as secure. So first of all your site should use SSL for sensitive data. When you are using SSL and you are sending a cookie to client, you need to mark the cookie as Secure, so the cookie will not be readable over HTTP protocol.

For last part of your question, yes, having SSL, marking your cookie Secure and HttpOnly should take care of PCI requirements.

There are additional requirements, for example, Session ID should be unique, should be invalidated properly (no session fixation), no Session ID over URL, etc. but I don't think you have those issues.

To fix this issue, you can try: https://community.magento.com/t5/Version-Upgrades/Secure-cookie-flag/td-p/2997 or https://github.com/lukanetconsult/mage-secure-cookie

72DFBF5B A0DF5BE9
  • 4,954
  • 3
  • 21
  • 24