Ecommerce software home
Shopping Cart Software Forum for Ecommerce Templates
 
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?


Find us on Facebook Follow us on Twitter View our YouTube channel
Search our site

 All Forums
 General
 Off topic, News and Updates
 Cookie session transaction issues
 New Topic  Reply to Topic
 Printer Friendly
Author  Topic   

Tinsle
Advanced Member

United Kingdom
302 Posts

Posted - 08/21/2020 :  08:06:16  
Hi we received the below message from Cardinal Commerce (partner of PayPal for 3D secure payments) recently as transactions were failing on certain browsers due to a security update.

Chrome issue document: https://cardinaldocs.atlassian.net/wiki/download/attachments/1259077633/CardinalCommerce_Technical%20Bulletin_Google%20Chrome_4-29-2020.pdf

Safari issue document: https://cardinaldocs.atlassian.net/wiki/download/attachments/1259077633/CardinalCommerce_Technical_Bulletin_Safari_4-29-2020.pdf

Cookies on the cart.php page need to be set to SameSite=none and 'Secure'.

When i check on chrome in the developer panel i can see 4 cookies, 3 of which are secure but i need to set one to SameSite=none

Please can you advise what file i can view the cookie settings in so that we can set them all to secure and ensure all transactions on our cart page are successful? Your prompt attention is most appreciated.

-------
Google Chrome Samesite and Safari, iPad and iOS Cookie Changes – How It Impacts You and What You Can Do

What are the most important things you want when surfing the internet? Probably making sure your privacy is protected, your transactions are secure and it’s lightning fast, right? Well, Google, Apple and others are focused on making the internet faster on one hand and focused on security and privacy for their users on the other hand. Not always an easy task. Sometimes, these changes may cause errors and impact your checkout flow.

Google’s Chromium project and Apple’s WebKit team have both announced (and in some cases, deployed) updates to how cookies are treated by default. These updates will impact the most recent versions of Google Chrome, other Chromium-based browsers such as the latest Microsoft Edge for Windows and macOS, and Safari 13.1 for iOS, macOS, and iPadOS.

So, what does this mean for you?

If you are using cookies as part of your checkout flow to retain values related to the consumers session, you may be impacted. Depending on how you have chosen to integrate your 3-D Secure solution, you may experience issues with authentication. In extreme cases, you may experience difficulty in fully completing an order.

We want to make sure you can continue to transact without issue. We have recommendations to help fix and test your changes for any challenges related to these cookie updates with detailed information on how to make sure you’re up to date and can avoid any problems with your checkout flow
--------

Phil
ECT Moderator

United Kingdom
7311 Posts

Posted - 08/21/2020 :  08:14:56  
One of my clients has also experienced payment issues using PayPal direct and I've temporarily disabled 3d secure for the moment and it appears the problem has gone away.



* Database Migrations and Conversions*
* ASP to PHP Cart Conversions*

*Contact Us*
*Buy The PHP Capture Card Plugin*
*Rate Our Services/View Our Feedback*

Tinsle
Advanced Member

United Kingdom
302 Posts

Posted - 08/21/2020 :  08:21:25  
Hi Phil,

Thanks for your reply, presumably not having the 3D secure available will be less secure for both the seller and buyer so ideally we would like to have this switched on but as a temporary fix maybe we can just switch off until resolved.

Can you advise how you disabled the 3D secure?

Thanks

Kev

Phil
ECT Moderator

United Kingdom
7311 Posts

Posted - 08/21/2020 :  08:29:08  
If you go into the main settings of your admin (store admin > main settings) they'll be three data entries under the heading cardinal commerce.

Cardinal Processor ID:
Cardinal Merchant ID:
Cardinal Transaction Password:

Just remove the entries and submit, obviously take a copy of the entries before you remove them



* Database Migrations and Conversions*
* ASP to PHP Cart Conversions*

*Contact Us*
*Buy The PHP Capture Card Plugin*
*Rate Our Services/View Our Feedback*

Tinsle
Advanced Member

United Kingdom
302 Posts

Posted - 08/21/2020 :  08:35:21  
Thanks Phil,

Any luck trying to get this one resolved? Do you know what file the cookie settings are stored on so we can make changes to it?

Regards

Kev

Phil
ECT Moderator

United Kingdom
7311 Posts

Posted - 08/21/2020 :  09:42:34  
I wouldn't be making any changes until Vince looks into it.

The cookie is set in the vsadmin/inc/inccart.php file but I don't think that's the issue, it maybe the way Cardinal Commerce is integrated so it's best to wait and see what Vince has to say


vsadmin/inc/inccart.php line 7389
<script type="text/javascript">/* <![CDATA[ */
var ectvalue=Math.floor(Math.random()*10000 + 1);
document.cookie="ECTTESTCART=" + ectvalue + "; path=/";
if((document.cookie+";").indexOf("ECTTESTCART=" + ectvalue + ";") < 0) document.write("<?php print jscheck($GLOBALS['xxNoCk'] . ' ' . $GLOBALS['xxSecWar'])?>");
/* ]]> */</script>



* Database Migrations and Conversions*
* ASP to PHP Cart Conversions*

*Contact Us*
*Buy The PHP Capture Card Plugin*
*Rate Our Services/View Our Feedback*

Vince
Administrator

40282 Posts

Posted - 08/21/2020 :  09:48:15  
Hi Kev
Can you send me the site FTP login details to my email (vince AT ecommercetemplates DOT com) and I'll take a look into this.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Tinsle
Advanced Member

United Kingdom
302 Posts

Posted - 06/01/2021 :  07:08:25  
Hi Vince,

We recently failed a PCI scan this month due to "Insecure configuration of Cookie attributes".

Please refer to below details provided by TrustWave our PCI provider:

Cookie Vulnerability helps an attacker to gain access to session
information stored in cookies. It may also be used as a 'locator' attack
that precedes a Cross-Site Scripting (XSS) or Man-In-The-Middle attack.
When looking for Cookie Vulnerabilities, an attacker will first observe
cookies through various HTTP proxies and check their attributes. The
attacker will then try to steal cookies of various users by employing
multiple attacks. If successful, he/she may be able to get sensitive
information which can be further used in an illegitimate way.
CVE: CVE-NO-MATCH
CVSSv2: AV:N/AC:M/Au:N/C:P/I:N/A:N
Service: https

------
Evidence:
DetectionDetails: Cookie Vulnerabilities Found
ecttestcart = 1902
Path = /
Host = www.**************.co.uk
Cookie does not have secure attribue in HTTPS
Cookie does not have an HTTPOnly Attribute
Cookie Change Observed on CLIENTside
Request: GET https://www.**************.co.uk/index.php
HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Sec-Fetch-User: ?1

----------
Remediation:
Secure flag must be set for Session Cookies for Application served over
SSL.
For all Session cookies, HTTPOnly flag would limit session access in
cases of Cross-Site Scripting issues. Proper Caching headers should be
set for responses carrying the cookie.
-----------


From the above understanding it seems a secure session cookie is not being dropped when a customer accesses the website? Can you please advise how we can rectify this so that a secure session cookie is set everytime?

Look forward to hearing from you

Regards

Kev

Vince
Administrator

40282 Posts

Posted - 06/02/2021 :  03:01:40  
Hi Kev
This is the cookie that checks that javascript is not disabled and there is a test to see if the cart is on HTTPS, and if so a secure flag is set. But it seems this isn't happening in your case so could you send the site FTP login to my email (vince AT ecommercetemplates DOT com) and I'll investigate why.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Vince
Administrator

40282 Posts

Posted - 06/03/2021 :  03:29:05  
Hi Kev
It seems the change to add the "secure" flag was a bit more recent than I thought so the version of cart you are using didn't have the change. I've added it for you now so if you try another scan it should be ok. All the current releases have this change.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Tinsle
Advanced Member

United Kingdom
302 Posts

Posted - 06/03/2021 :  06:17:17  
Thank you Vince, i will run the scan now. If there are any issues i will revert back. I will also update the cart to the latest version in the coming days.

Kind regards

Kev

Tinsle
Advanced Member

United Kingdom
302 Posts

Posted - 06/29/2021 :  01:40:31  
Hi Vince,

Our PCI scan has run this month and we are now failing on the below insecurity found on a few pages including the cart page:

"Insecure configuration of Cookie attributes, CVE-NO-MATCH"

Evidence:
DetectionDetails: Cookie Vulnerabilities Found
phpsessid = ns3h**********scleqjehk
Path = /
Host = www.**********.co.uk
Cookie does not have secure attribue in HTTPS
Cookie does not have an HTTPOnly Attribute
Request: GET https://www.**********.co.uk/cart.php
HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Cookie: cookieconsent_dismissed=yes;
__utma=97143901.2002784734.1624949320.1624949320.162494932
0.1; __utmc=97143901; __utmb=97143901.3.10.1624949320;
__utmt=1;
__utmz=97143901.1624949320.1.1.utmcsr=(direct)|utmccn=(direct)|u
tmcmd=(none)

Remediation:
Secure flag must be set for Session Cookies for Application served over
SSL.
For all Session cookies, HTTPOnly flag would limit session access in
cases of Cross-Site Scripting issues. Proper Caching headers should be
set for responses carrying the cookie.

Please can you advise on this.

Regards

Kev

Vince
Administrator

40282 Posts

Posted - 07/01/2021 :  03:00:50  
Hi Kev
The phpsessid is automatically generated by PHP so it would really be up to PHP to set any required secure flags. Is the version of PHP on the server up to date? If it is then there are a couple of php.ini settings that can affect this as here...
https://stackoverflow.com/questions/51205876/https-cookie-httponly-and-secure

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Tinsle
Advanced Member

United Kingdom
302 Posts

Posted - 07/02/2021 :  03:36:11  
Hi Vince,

The server is running PHP 7.3.28. Do you think updating to version 8 will resolve this issue?

Look forward to hearing from you

Regards

Kev

Vince
Administrator

40282 Posts

Posted - 07/02/2021 :  09:25:29  
Hi Kev
PHP 7.3.28 is plenty recent enough so I would look at the PHP.ini settings.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater
   Topic   
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Shopping Cart Software Forum for Ecommerce Templates © 2002-2020 ecommercetemplates.com
This page was generated in 0.03 seconds. Snitz Forums 2000