Announcement

Collapse
No announcement yet.

Issue With Miva Merchant Cookies - Please Verify

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #31
    Re: Issue With Miva Merchant Cookies - Please Verify

    Originally posted by burch View Post
    I completely agree, but more than one PCI scanner will flag any attempt to set the same cookie on both HTTP and HTTPS URLs as a high-priority vulnerability. The issue comes up whenever a shopper lands on the site for the first time on an HTTPS URL.
    Thank you very much, Burch. I hate PCI scanners for this very reason -- and I'm sure you guys ran across countless other examples. Their automated tests can be completely useless when they don't understand what is actually happening. I fail to see the security issue with setting a http-able cookie on a https page when the value isn't something that needs to be kept secure.

    I have my fix in place for now, but please do keep me in the loop if you guys can find a permanent fix for this.

    Comment


      #32
      Re: Issue With Miva Merchant Cookies - Please Verify

      Did PR8 update 9 Cookies Settings solve this issue?

      Does a new basket_id cookie automatically get created on the INVC page? If so, do we need to use the Cookie Settings tab to change Non-secure Miva cookie settings to both http and https connections, without secure flag?

      Would setting cookies with both http and https connections fail PCI testing?

      Does Bugfix 10041 effect this issue?
      Last edited by alphabet; 05-02-13, 11:05 AM. Reason: Add another question
      http://www.alphabetsigns.com/

      Comment


        #33
        Re: Issue With Miva Merchant Cookies - Please Verify

        Did PR8 update 9 Cookies Settings solve this issue?

        Does a new basket_id cookie automatically get created on the INVC page? If so, do we need to use the Cookie Settings tab to change Non-secure Miva cookie settings to both http and https connections, without secure flag?
        Yes

        Would setting cookies with both http and https connections fail PCI testing?
        You might fail a scan (depends on your scanning company), but you won't actually be non-compliant, it's a false positive. But Scanners aren't smart enough to decipher.
        Thanks,

        Rick Wilson
        CEO
        Miva, Inc.
        [email protected]
        https://www.miva.com

        Comment


          #34
          Re: Issue With Miva Merchant Cookies - Please Verify

          Originally posted by Rick Wilson View Post
          Originally posted by alphabet View Post
          Did PR8 update 9 Cookies Settings solve this issue?

          Does a new basket_id cookie automatically get created on the INVC page? If so, do we need to use the Cookie Settings tab to change Non-secure Miva cookie settings to both http and https connections, without secure flag?

          Would setting cookies with both http and https connections fail PCI testing?

          Does Bugfix 10041 effect this issue?
          Yes
          Yes, but.

          So for some reason PR8-9 broke my fix for this (where I was manually creating the cookies using the toolkit). (Side note: I don't remember anything in the release notes about this, but the bug fix titles are so vague I'm sure I glossed over it.) I was reading through this thread again to jog my memory of how the whole problem works, and I noticed you said PR8-9 fixes this. While you are absolutely right that it does, however, it does require you to change a setting, so I wanted to document that. Global Settings > Domain Settings > Cookies. Default setting is "Set only on HTTP connections, without secure flag", you need to change your store's setting to "Set on both HTTP and HTTPS connections, without secure flag".

          I flipped that setting, did a test order, and everything is working great now. I applaud you guys for adding this feature!

          Comment


            #35
            Re: Issue With Miva Merchant Cookies - Please Verify

            I have just run into this problem with a customer that I believe has visited the login screen first. She said that she logs in and then clicks on a link to a category, when she lands on the category page she is no longer logged in. Does this sound like the same issue? I was able to duplicate it, when I went to a secure page first. My current setting is "Set only on HTTP connections, without secure flag" will changing it to "Set on both HTTP and HTTPS connections, without secure flag " fix this?

            Thanks
            Highly caffeinated
            http://www.coffeehouseexpress.com

            Comment

            Working...
            X