This is the last issue I need to solve to be compliant again and I am not sure where to go to fix it..
Non-Secure Session Cookies Identified
The website software running on this server appears to be setting session cookies without the Secure flag set over HTTPS connections. This means the session identifier information in these cookies would be transmitted even over unencrypted HTTP connections, which might make them susceptible to interception and tampering.
PCI compliance issue
- compunerdy
- Admiral (ADM)
- Posts: 1283
- Joined: Sun Nov 18, 2007 3:55 pm
- jmestep
- AbleCommerce Angel
- Posts: 8164
- Joined: Sun Feb 29, 2004 8:04 pm
- Location: Dayton, OH
- Contact:
Re: PCI compliance issue
We are having to patch this also- some sites are reporting it from their PCI compliance scans. Here is what we did in web.config. Adding the xxx="true" at end of tags
<forms timeout="15" slidingExpiration="true" name="ACGOLD.ASPXAUTH" requireSSL="true"/>
<anonymousIdentification enabled="true" cookieName="ACGOLD.ASPXANONYMOUS" cookieTimeout="1440" cookieRequireSSL="true"/>
Add this right before </system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
Note: Don't make the changes unless your entire site is running https
<forms timeout="15" slidingExpiration="true" name="ACGOLD.ASPXAUTH" requireSSL="true"/>
<anonymousIdentification enabled="true" cookieName="ACGOLD.ASPXANONYMOUS" cookieTimeout="1440" cookieRequireSSL="true"/>
Add this right before </system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
Note: Don't make the changes unless your entire site is running https
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx
- compunerdy
- Admiral (ADM)
- Posts: 1283
- Joined: Sun Nov 18, 2007 3:55 pm
Re: PCI compliance issue
I know I can turn on the option to have all pages show https but is there any issues with that still? I recall someone posting about issues with it.
Re: PCI compliance issue
In R10 there were a few (minor) issues. If you're on R12, you should most certainly be running all pages in HTTPS. I have every single one of my clients (that are capable) running full HTTPS. It's rock solid.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
- compunerdy
- Admiral (ADM)
- Posts: 1283
- Joined: Sun Nov 18, 2007 3:55 pm
Re: PCI compliance issue
Thanks!! That seems to have me all fixed up.