Hi we received the below message from Cardinal Commerce (partner of PayPal for 3D secure payments) recently as transactions were failing on certain browsers due to a security update.

Chrome issue document: [url]https://cardinaldocs.atlassian.net/wiki/download/ attachments/1259077633/CardinalCommerce_Technical Bulletin_Google Chrome_4-29-2020.pdf[/url]

Safari issue document: [url]https://cardinaldocs.atlassian.net/ wiki/download/attachments/1259077633/ CardinalCommerce_Technical_ Bulletin_Safari_4-29-2020.pdf[/url]

Cookies on the cart.php page need to be set to SameSite=none and 'Secure'.

When i check on chrome in the developer panel i can see 4 cookies, 3 of which are secure but i need to set one to SameSite=none

Please can you advise what file i can view the cookie settings in so that we can set them all to secure and ensure all transactions on our cart page are successful? Your prompt attention is most appreciated.

-------
Google Chrome Samesite and Safari, iPad and iOS Cookie Changes – How It Impacts You and What You Can Do

What are the most important things you want when surfing the internet? Probably making sure your privacy is protected, your transactions are secure and it’s lightning fast, right? Well, Google, Apple and others are focused on making the internet faster on one hand and focused on security and privacy for their users on the other hand. Not always an easy task. Sometimes, these changes may cause errors and impact your checkout flow.

Google’s Chromium project and Apple’s WebKit team have both announced (and in some cases, deployed) updates to how cookies are treated by default. These updates will impact the most recent versions of Google Chrome, other Chromium-based browsers such as the latest Microsoft Edge for Windows and macOS, and Safari 13.1 for iOS, macOS, and iPadOS.

So, what does this mean for you?

If you are using cookies as part of your checkout flow to retain values related to the consumers session, you may be impacted. Depending on how you have chosen to integrate your 3-D Secure solution, you may experience issues with authentication. In extreme cases, you may experience difficulty in fully completing an order.

We want to make sure you can continue to transact without issue. We have recommendations to help fix and test your changes for any challenges related to these cookie updates with detailed information on how to make sure you’re up to date and can avoid any problems with your checkout flow
--------

One of my clients has also experienced payment issues using PayPal direct and I've temporarily disabled 3d secure for the moment and it appears the problem has gone away.



* Database Migrations and Conversions*
* ASP to PHP Cart Conversions*
*Contact Us*
*Buy The PHP Capture Card Plugin*
*Rate Our Services/View Our Feedback*

Hi Phil,

Thanks for your reply, presumably not having the 3D secure available will be less secure for both the seller and buyer so ideally we would like to have this switched on but as a temporary fix maybe we can just switch off until resolved.

Can you advise how you disabled the 3D secure?

Thanks

Kev

If you go into the main settings of your admin (store admin > main settings) they'll be three data entries under the heading cardinal commerce.

Cardinal Processor ID:
Cardinal Merchant ID:
Cardinal Transaction Password:

Just remove the entries and submit, obviously take a copy of the entries before you remove them



* Database Migrations and Conversions*
* ASP to PHP Cart Conversions*
*Contact Us*
*Buy The PHP Capture Card Plugin*
*Rate Our Services/View Our Feedback*

Thanks Phil,

Any luck trying to get this one resolved? Do you know what file the cookie settings are stored on so we can make changes to it?

Regards

Kev

I wouldn't be making any changes until Vince looks into it.

The cookie is set in the vsadmin/inc/inccart.php file but I don't think that's the issue, it maybe the way Cardinal Commerce is integrated so it's best to wait and see what Vince has to say


vsadmin/inc/inccart.php line 7389
<script ....



* Database Migrations and Conversions*
* ASP to PHP Cart Conversions*
*Contact Us*
*Buy The PHP Capture Card Plugin*
*Rate Our Services/View Our Feedback*

Hi Kev
Can you send me the site FTP login details to my email (vince AT ecommercetemplates DOT com) and I'll take a look into this.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Hi Vince,

We recently failed a PCI scan this month due to "Insecure configuration of Cookie attributes".

Please refer to below details provided by TrustWave our PCI provider:

Cookie Vulnerability helps an attacker to gain access to session
information stored in cookies. It may also be used as a 'locator' attack
that precedes a Cross-Site Scripting (XSS) or Man-In-The-Middle attack.
When looking for Cookie Vulnerabilities, an attacker will first observe
cookies through various HTTP proxies and check their attributes. The
attacker will then try to steal cookies of various users by employing
multiple attacks. If successful, he/she may be able to get sensitive
information which can be further used in an illegitimate way.
CVE: CVE-NO-MATCH
CVSSv2: AV:N/AC:M/Au:N/C:P/I:N/A:N
Service: https

------
Evidence:
DetectionDetails: Cookie Vulnerabilities Found
ecttestcart = 1902
Path = /
Host = www.**************.co.uk
Cookie does not have secure attribue in HTTPS
Cookie does not have an HTTPOnly Attribute
Cookie Change Observed on CLIENTside
Request: GET https://www.**************.co.uk/index.php
HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Sec-Fetch-User: ?1

----------
Remediation:
Secure flag must be set for Session Cookies for Application served over
SSL.
For all Session cookies, HTTPOnly flag would limit session access in
cases of Cross-Site Scripting issues. Proper Caching headers should be
set for responses carrying the cookie.
-----------


From the above understanding it seems a secure session cookie is not being dropped when a customer accesses the website? Can you please advise how we can rectify this so that a secure session cookie is set everytime?

Look forward to hearing from you

Regards

Kev

Hi Kev
This is the cookie that checks that javascript is not disabled and there is a test to see if the cart is on HTTPS, and if so a secure flag is set. But it seems this isn't happening in your case so could you send the site FTP login to my email (vince AT ecommercetemplates DOT com) and I'll investigate why.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Hi Kev
It seems the change to add the "secure" flag was a bit more recent than I thought so the version of cart you are using didn't have the change. I've added it for you now so if you try another scan it should be ok. All the current releases have this change.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Thank you Vince, i will run the scan now. If there are any issues i will revert back. I will also update the cart to the latest version in the coming days.

Kind regards

Kev

Hi Vince,

Our PCI scan has run this month and we are now failing on the below insecurity found on a few pages including the cart page:

"Insecure configuration of Cookie attributes, CVE-NO-MATCH"

Evidence:
DetectionDetails: Cookie Vulnerabilities Found
phpsessid = ns3h**********scleqjehk
Path = /
Host = www.**********.co.uk
Cookie does not have secure attribue in HTTPS
Cookie does not have an HTTPOnly Attribute
Request: GET https://www.**********.co.uk/cart.php
HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Cookie: cookieconsent_dismissed=yes;

Remediation:
Secure flag must be set for Session Cookies for Application served over
SSL.
For all Session cookies, HTTPOnly flag would limit session access in
cases of Cross-Site Scripting issues. Proper Caching headers should be
set for responses carrying the cookie.

Please can you advise on this.

Regards

Kev

Hi Kev
The phpsessid is automatically generated by PHP so it would really be up to PHP to set any required secure flags. Is the version of PHP on the server up to date? If it is then there are a couple of php.ini settings that can affect this as here...
https://stackoverflow.com /questions/51205876/https-cookie-httponly-and-secure

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Hi Vince,

The server is running PHP 7.3.28. Do you think updating to version 8 will resolve this issue?

Look forward to hearing from you

Regards

Kev

Hi Kev
PHP 7.3.28 is plenty recent enough so I would look at the PHP.ini settings.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater