Cookie session transaction issues

Author	« Topic »
Tinsle Advanced Member United Kingdom 342 Posts	Posted - 08/21/2020 : 08:06:16 Hi we received the below message from Cardinal Commerce (partner of PayPal for 3D secure payments) recently as transactions were failing on certain browsers due to a security update. Chrome issue document: https://cardinaldocs.atlassian.net/wiki/download/ attachments/1259077633/CardinalCommerce_Technical Bulletin_Google Chrome_4-29-2020.pdf Safari issue document: https://cardinaldocs.atlassian.net/ wiki/download/attachments/1259077633/ CardinalCommerce_Technical_ Bulletin_Safari_4-29-2020.pdf Cookies on the cart.php page need to be set to SameSite=none and 'Secure'. When i check on chrome in the developer panel i can see 4 cookies, 3 of which are secure but i need to set one to SameSite=none Please can you advise what file i can view the cookie settings in so that we can set them all to secure and ensure all transactions on our cart page are successful? Your prompt attention is most appreciated. ------- Google Chrome Samesite and Safari, iPad and iOS Cookie Changes – How It Impacts You and What You Can Do What are the most important things you want when surfing the internet? Probably making sure your privacy is protected, your transactions are secure and it’s lightning fast, right? Well, Google, Apple and others are focused on making the internet faster on one hand and focused on security and privacy for their users on the other hand. Not always an easy task. Sometimes, these changes may cause errors and impact your checkout flow. Google’s Chromium project and Apple’s WebKit team have both announced (and in some cases, deployed) updates to how cookies are treated by default. These updates will impact the most recent versions of Google Chrome, other Chromium-based browsers such as the latest Microsoft Edge for Windows and macOS, and Safari 13.1 for iOS, macOS, and iPadOS. So, what does this mean for you? If you are using cookies as part of your checkout flow to retain values related to the consumers session, you may be impacted. Depending on how you have chosen to integrate your 3-D Secure solution, you may experience issues with authentication. In extreme cases, you may experience difficulty in fully completing an order. We want to make sure you can continue to transact without issue. We have recommendations to help fix and test your changes for any challenges related to these cookie updates with detailed information on how to make sure you’re up to date and can avoid any problems with your checkout flow --------
Phil ECT Moderator United Kingdom 7680 Posts	Posted - 08/21/2020 : 08:14:56 One of my clients has also experienced payment issues using PayPal direct and I've temporarily disabled 3d secure for the moment and it appears the problem has gone away. * Database Migrations and Conversions* * ASP to PHP Cart Conversions* *Contact Us* *Buy The PHP Capture Card Plugin* Rate Our Services/View Our Feedback
Tinsle Advanced Member United Kingdom 342 Posts	Posted - 08/21/2020 : 08:21:25 Hi Phil, Thanks for your reply, presumably not having the 3D secure available will be less secure for both the seller and buyer so ideally we would like to have this switched on but as a temporary fix maybe we can just switch off until resolved. Can you advise how you disabled the 3D secure? Thanks Kev
Phil ECT Moderator United Kingdom 7680 Posts	Posted - 08/21/2020 : 08:29:08 If you go into the main settings of your admin (store admin > main settings) they'll be three data entries under the heading cardinal commerce. Cardinal Processor ID: Cardinal Merchant ID: Cardinal Transaction Password: Just remove the entries and submit, obviously take a copy of the entries before you remove them * Database Migrations and Conversions* * ASP to PHP Cart Conversions* *Contact Us* *Buy The PHP Capture Card Plugin* Rate Our Services/View Our Feedback
Tinsle Advanced Member United Kingdom 342 Posts	Posted - 08/21/2020 : 08:35:21 Thanks Phil, Any luck trying to get this one resolved? Do you know what file the cookie settings are stored on so we can make changes to it? Regards Kev
Phil ECT Moderator United Kingdom 7680 Posts	Posted - 08/21/2020 : 09:42:34 I wouldn't be making any changes until Vince looks into it. The cookie is set in the vsadmin/inc/inccart.php file but I don't think that's the issue, it maybe the way Cardinal Commerce is integrated so it's best to wait and see what Vince has to say vsadmin/inc/inccart.php line 7389 <script .... * Database Migrations and Conversions* * ASP to PHP Cart Conversions* *Contact Us* *Buy The PHP Capture Card Plugin* Rate Our Services/View Our Feedback
Vince Administrator 42756 Posts	Posted - 08/21/2020 : 09:48:15 Hi Kev Can you send me the site FTP login details to my email (vince AT ecommercetemplates DOT com) and I'll take a look into this. Vince Click Here for Shopping Cart Software Click Here to sign up for our newsletter Click Here for the latest updater
Tinsle Advanced Member United Kingdom 342 Posts	Posted - 06/01/2021 : 07:08:25 Hi Vince, We recently failed a PCI scan this month due to "Insecure configuration of Cookie attributes". Please refer to below details provided by TrustWave our PCI provider: Cookie Vulnerability helps an attacker to gain access to session information stored in cookies. It may also be used as a 'locator' attack that precedes a Cross-Site Scripting (XSS) or Man-In-The-Middle attack. When looking for Cookie Vulnerabilities, an attacker will first observe cookies through various HTTP proxies and check their attributes. The attacker will then try to steal cookies of various users by employing multiple attacks. If successful, he/she may be able to get sensitive information which can be further used in an illegitimate way. CVE: CVE-NO-MATCH CVSSv2: AV:N/AC:M/Au:N/C:P/I:N/A:N Service: https ------ Evidence: DetectionDetails: Cookie Vulnerabilities Found ecttestcart = 1902 Path = / Host = www.************.co.uk Cookie does not have secure attribue in HTTPS Cookie does not have an HTTPOnly Attribute Cookie Change Observed on CLIENTside Request: GET https://www.************.co.uk/index.php HTTP/1.1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 Sec-Fetch-User: ?1 ---------- Remediation: Secure flag must be set for Session Cookies for Application served over SSL. For all Session cookies, HTTPOnly flag would limit session access in cases of Cross-Site Scripting issues. Proper Caching headers should be set for responses carrying the cookie. ----------- From the above understanding it seems a secure session cookie is not being dropped when a customer accesses the website? Can you please advise how we can rectify this so that a secure session cookie is set everytime? Look forward to hearing from you Regards Kev
Vince Administrator 42756 Posts	Posted - 06/02/2021 : 03:01:40 Hi Kev This is the cookie that checks that javascript is not disabled and there is a test to see if the cart is on HTTPS, and if so a secure flag is set. But it seems this isn't happening in your case so could you send the site FTP login to my email (vince AT ecommercetemplates DOT com) and I'll investigate why. Vince Click Here for Shopping Cart Software Click Here to sign up for our newsletter Click Here for the latest updater
Vince Administrator 42756 Posts	Posted - 06/03/2021 : 03:29:05 Hi Kev It seems the change to add the "secure" flag was a bit more recent than I thought so the version of cart you are using didn't have the change. I've added it for you now so if you try another scan it should be ok. All the current releases have this change. Vince Click Here for Shopping Cart Software Click Here to sign up for our newsletter Click Here for the latest updater
Tinsle Advanced Member United Kingdom 342 Posts	Posted - 06/03/2021 : 06:17:17 Thank you Vince, i will run the scan now. If there are any issues i will revert back. I will also update the cart to the latest version in the coming days. Kind regards Kev
Tinsle Advanced Member United Kingdom 342 Posts	Posted - 06/29/2021 : 01:40:31 Hi Vince, Our PCI scan has run this month and we are now failing on the below insecurity found on a few pages including the cart page: "Insecure configuration of Cookie attributes, CVE-NO-MATCH" Evidence: DetectionDetails: Cookie Vulnerabilities Found phpsessid = ns3h********scleqjehk Path = / Host = www.******.co.uk Cookie does not have secure attribue in HTTPS Cookie does not have an HTTPOnly Attribute Request: GET https://www.******.co.uk/cart.php HTTP/1.1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Cookie: cookieconsent_dismissed=yes; Remediation:** Secure flag must be set for Session Cookies for Application served over SSL. For all Session cookies, HTTPOnly flag would limit session access in cases of Cross-Site Scripting issues. Proper Caching headers should be set for responses carrying the cookie. Please can you advise on this. Regards Kev
Vince Administrator 42756 Posts	Posted - 07/01/2021 : 03:00:50 Hi Kev The phpsessid is automatically generated by PHP so it would really be up to PHP to set any required secure flags. Is the version of PHP on the server up to date? If it is then there are a couple of php.ini settings that can affect this as here... https://stackoverflow.com /questions/51205876/https-cookie-httponly-and-secure Vince Click Here for Shopping Cart Software Click Here to sign up for our newsletter Click Here for the latest updater
Tinsle Advanced Member United Kingdom 342 Posts	Posted - 07/02/2021 : 03:36:11 Hi Vince, The server is running PHP 7.3.28. Do you think updating to version 8 will resolve this issue? Look forward to hearing from you Regards Kev
Vince Administrator 42756 Posts	Posted - 07/02/2021 : 09:25:29 Hi Kev PHP 7.3.28 is plenty recent enough so I would look at the PHP.ini settings. Vince Click Here for Shopping Cart Software Click Here to sign up for our newsletter Click Here for the latest updater
	« Topic »