Making anonymous cookie require SSL

For general questions and discussions specific to the AbleCommerce 7.0 Asp.Net product.
Post Reply
User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Making anonymous cookie require SSL

Post by AbleMods » Wed Aug 06, 2014 5:31 am

I've got a PCI compliance report that is complaining the AC7.ASPXANONYMOUS cookie is not being passed SSL and therefore fails PCI compliance.

Even more weird, the client has 3 Able 7.0.6 websites. Only 1 fails this test.

Is there a way to do force this in the web.config or something?

I've already tried this, it didn't help:

Code: Select all

<httpCookies httpOnlyCookies="true" requireSSL="true" />
I've also tried cookieRequiresSSL on the <anonymousIdentification> tag. It just crashes Able because it can't find the UserId to look up as if the cookie has disappeared entirely.

Any thoughts?
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
Top
sweeperq
Commodore (COMO)
Commodore (COMO)
Posts: 497
Joined: Tue Jan 03, 2006 2:45 pm

Re: Making anonymous cookie require SSL

Post by sweeperq » Fri Aug 08, 2014 5:53 am

I think if you put "requireSSL='true'" you will lose your cookie whenever you exit SSL mode (for example going from the checkout or my account area, back into the store). The reason is that the cookie will only be transmitted back to the site for SSL-protected requests.
Top
Post Reply

Return to “AbleCommerce 7.0 Asp.Net Shopping Cart”