Tinsle
Advanced Member
United Kingdom
342 Posts Pre-sales questions only (More Details...)
|
Posted - 08/21/2020 : 08:06:16
Hi we received the below message from Cardinal Commerce (partner of PayPal for 3D secure payments) recently as transactions were failing on certain browsers due to a security update.
Chrome issue document: [url]https://cardinaldocs.atlassian.net/wiki/download/ attachments/1259077633/CardinalCommerce_Technical Bulletin_Google Chrome_4-29-2020.pdf[/url]
Safari issue document: [url]https://cardinaldocs.atlassian.net/ wiki/download/attachments/1259077633/ CardinalCommerce_Technical_ Bulletin_Safari_4-29-2020.pdf[/url]
Cookies on the cart.php page need to be set to SameSite=none and 'Secure'.
When i check on chrome in the developer panel i can see 4 cookies, 3 of which are secure but i need to set one to SameSite=none
Please can you advise what file i can view the cookie settings in so that we can set them all to secure and ensure all transactions on our cart page are successful? Your prompt attention is most appreciated.
------- Google Chrome Samesite and Safari, iPad and iOS Cookie Changes – How It Impacts You and What You Can Do
What are the most important things you want when surfing the internet? Probably making sure your privacy is protected, your transactions are secure and it’s lightning fast, right? Well, Google, Apple and others are focused on making the internet faster on one hand and focused on security and privacy for their users on the other hand. Not always an easy task. Sometimes, these changes may cause errors and impact your checkout flow.
Google’s Chromium project and Apple’s WebKit team have both announced (and in some cases, deployed) updates to how cookies are treated by default. These updates will impact the most recent versions of Google Chrome, other Chromium-based browsers such as the latest Microsoft Edge for Windows and macOS, and Safari 13.1 for iOS, macOS, and iPadOS.
So, what does this mean for you?
If you are using cookies as part of your checkout flow to retain values related to the consumers session, you may be impacted. Depending on how you have chosen to integrate your 3-D Secure solution, you may experience issues with authentication. In extreme cases, you may experience difficulty in fully completing an order.
We want to make sure you can continue to transact without issue. We have recommendations to help fix and test your changes for any challenges related to these cookie updates with detailed information on how to make sure you’re up to date and can avoid any problems with your checkout flow --------
|
Phil
ECT Moderator
United Kingdom
7621 Posts |
Posted - 08/21/2020 : 08:14:56
|
Tinsle
Advanced Member
United Kingdom
342 Posts Pre-sales questions only (More Details...)
|
Posted - 08/21/2020 : 08:21:25
Hi Phil,
Thanks for your reply, presumably not having the 3D secure available will be less secure for both the seller and buyer so ideally we would like to have this switched on but as a temporary fix maybe we can just switch off until resolved.
Can you advise how you disabled the 3D secure?
Thanks
Kev
|
Phil
ECT Moderator
United Kingdom
7621 Posts |
Posted - 08/21/2020 : 08:29:08
If you go into the main settings of your admin (store admin > main settings) they'll be three data entries under the heading cardinal commerce. Cardinal Processor ID: Cardinal Merchant ID: Cardinal Transaction Password: Just remove the entries and submit, obviously take a copy of the entries before you remove them * Database Migrations and Conversions* * ASP to PHP Cart Conversions**Contact Us**Buy The PHP Capture Card Plugin**Rate Our Services/View Our Feedback*
|
Tinsle
Advanced Member
United Kingdom
342 Posts Pre-sales questions only (More Details...)
|
Posted - 08/21/2020 : 08:35:21
Thanks Phil,
Any luck trying to get this one resolved? Do you know what file the cookie settings are stored on so we can make changes to it?
Regards
Kev
|
Phil
ECT Moderator
United Kingdom
7621 Posts |
Posted - 08/21/2020 : 09:42:34
I wouldn't be making any changes until Vince looks into it. The cookie is set in the vsadmin/inc/inccart.php file but I don't think that's the issue, it maybe the way Cardinal Commerce is integrated so it's best to wait and see what Vince has to say vsadmin/inc/inccart.php line 7389 <script .... * Database Migrations and Conversions* * ASP to PHP Cart Conversions**Contact Us**Buy The PHP Capture Card Plugin**Rate Our Services/View Our Feedback*
|
Vince
Administrator
42466 Posts |
Posted - 08/21/2020 : 09:48:15
|
Tinsle
Advanced Member
United Kingdom
342 Posts Pre-sales questions only (More Details...)
|
Posted - 06/01/2021 : 07:08:25
Hi Vince,
We recently failed a PCI scan this month due to "Insecure configuration of Cookie attributes".
Please refer to below details provided by TrustWave our PCI provider:
Cookie Vulnerability helps an attacker to gain access to session information stored in cookies. It may also be used as a 'locator' attack that precedes a Cross-Site Scripting (XSS) or Man-In-The-Middle attack. When looking for Cookie Vulnerabilities, an attacker will first observe cookies through various HTTP proxies and check their attributes. The attacker will then try to steal cookies of various users by employing multiple attacks. If successful, he/she may be able to get sensitive information which can be further used in an illegitimate way. CVE: CVE-NO-MATCH CVSSv2: AV:N/AC:M/Au:N/C:P/I:N/A:N Service: https
------ Evidence: DetectionDetails: Cookie Vulnerabilities Found ecttestcart = 1902 Path = / Host = www.**************.co.uk Cookie does not have secure attribue in HTTPS Cookie does not have an HTTPOnly Attribute Cookie Change Observed on CLIENTside Request: GET https://www.**************.co.uk/index.php HTTP/1.1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 Sec-Fetch-User: ?1
---------- Remediation: Secure flag must be set for Session Cookies for Application served over SSL. For all Session cookies, HTTPOnly flag would limit session access in cases of Cross-Site Scripting issues. Proper Caching headers should be set for responses carrying the cookie. -----------
From the above understanding it seems a secure session cookie is not being dropped when a customer accesses the website? Can you please advise how we can rectify this so that a secure session cookie is set everytime?
Look forward to hearing from you
Regards
Kev
|
Vince
Administrator
42466 Posts |
Posted - 06/02/2021 : 03:01:40
|
Vince
Administrator
42466 Posts |
Posted - 06/03/2021 : 03:29:05
|
Tinsle
Advanced Member
United Kingdom
342 Posts Pre-sales questions only (More Details...)
|
Posted - 06/03/2021 : 06:17:17
Thank you Vince, i will run the scan now. If there are any issues i will revert back. I will also update the cart to the latest version in the coming days.
Kind regards
Kev
|
Tinsle
Advanced Member
United Kingdom
342 Posts Pre-sales questions only (More Details...)
|
Posted - 06/29/2021 : 01:40:31
Hi Vince,
Our PCI scan has run this month and we are now failing on the below insecurity found on a few pages including the cart page:
"Insecure configuration of Cookie attributes, CVE-NO-MATCH"
Evidence: DetectionDetails: Cookie Vulnerabilities Found phpsessid = ns3h**********scleqjehk Path = / Host = www.**********.co.uk Cookie does not have secure attribue in HTTPS Cookie does not have an HTTPOnly Attribute Request: GET https://www.**********.co.uk/cart.php HTTP/1.1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Cookie: cookieconsent_dismissed=yes;
Remediation: Secure flag must be set for Session Cookies for Application served over SSL. For all Session cookies, HTTPOnly flag would limit session access in cases of Cross-Site Scripting issues. Proper Caching headers should be set for responses carrying the cookie.
Please can you advise on this.
Regards
Kev
|
Vince
Administrator
42466 Posts |
Posted - 07/01/2021 : 03:00:50
|
Tinsle
Advanced Member
United Kingdom
342 Posts Pre-sales questions only (More Details...)
|
Posted - 07/02/2021 : 03:36:11
Hi Vince,
The server is running PHP 7.3.28. Do you think updating to version 8 will resolve this issue?
Look forward to hearing from you
Regards
Kev
|
Vince
Administrator
42466 Posts |
Posted - 07/02/2021 : 09:25:29
|
|
|