PCI compliance issue

For general questions and discussions specific to the AbleCommerce GOLD ASP.Net shopping cart software.
Post Reply
User avatar
compunerdy
Admiral (ADM)
Admiral (ADM)
Posts: 1283
Joined: Sun Nov 18, 2007 3:55 pm

PCI compliance issue

Post by compunerdy » Wed Sep 26, 2018 2:47 am

This is the last issue I need to solve to be compliant again and I am not sure where to go to fix it..

Non-Secure Session Cookies Identified
The website software running on this server appears to be setting session cookies without the Secure flag set over HTTPS connections. This means the session identifier information in these cookies would be transmitted even over unencrypted HTTP connections, which might make them susceptible to interception and tampering.

User avatar
jmestep
AbleCommerce Angel
Posts: 8164
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: PCI compliance issue

Post by jmestep » Wed Sep 26, 2018 9:59 pm

We are having to patch this also- some sites are reporting it from their PCI compliance scans. Here is what we did in web.config. Adding the xxx="true" at end of tags
<forms timeout="15" slidingExpiration="true" name="ACGOLD.ASPXAUTH" requireSSL="true"/>
<anonymousIdentification enabled="true" cookieName="ACGOLD.ASPXANONYMOUS" cookieTimeout="1440" cookieRequireSSL="true"/>
Add this right before </system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />

Note: Don't make the changes unless your entire site is running https
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

User avatar
compunerdy
Admiral (ADM)
Admiral (ADM)
Posts: 1283
Joined: Sun Nov 18, 2007 3:55 pm

Re: PCI compliance issue

Post by compunerdy » Thu Sep 27, 2018 1:27 am

I know I can turn on the option to have all pages show https but is there any issues with that still? I recall someone posting about issues with it.

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: PCI compliance issue

Post by AbleMods » Fri Oct 05, 2018 5:09 am

In R10 there were a few (minor) issues. If you're on R12, you should most certainly be running all pages in HTTPS. I have every single one of my clients (that are capable) running full HTTPS. It's rock solid.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

User avatar
compunerdy
Admiral (ADM)
Admiral (ADM)
Posts: 1283
Joined: Sun Nov 18, 2007 3:55 pm

Re: PCI compliance issue

Post by compunerdy » Mon Oct 08, 2018 7:31 am

Thanks!! That seems to have me all fixed up.

Post Reply