Post by redmail » Wed Apr 15, 2020 11:21 pm

Hi,
Currently the PHPSESSID is set to http only but to be PCI compliant, the "secure flag" needs to be set on cookies even if no sensitive information is being shared.
What code would need to be inserted to make the cookies secure?

I placed

Code: Select all

session.cookie_secure = On;
in php.ini but no effects on the cookie.

Opencart version 2.3.0.2
PHP 7.2

SOLUTION below for phpsessid, currency and language
Last edited by redmail on Thu Apr 16, 2020 9:19 pm, edited 4 times in total.

Newbie

Posts

Joined
Thu Jan 16, 2020 10:10 pm

Post by straightlight » Wed Apr 15, 2020 11:25 pm

This topic has now been moved to the OpenCart 2.0 Support > General Support section of the forum.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by redmail » Thu Apr 16, 2020 3:39 am

[SOLVED]Secure Flag is now being displayed for PHPSESSID, Currency and Language.

For both NGINX and Apache

1. Go to where you installed opencart, then find /system/library/session.php

2. Find

Code: Select all

if ($this->adaptor && !session_id()) {
			ini_set('session.use_only_cookies', 'Off');
			ini_set('session.use_cookies', 'On');
			ini_set('session.use_trans_sid', 'Off');
			ini_set('session.cookie_httponly', 'On');
3. Add this line directly after it

Code: Select all

ini_set('session.cookie_secure', 'On');
If 'On' doesnt work, try replacing with 1

4. Save file and upload it back on your server

5. Go to website on chrome incognito mode, click the green padlock on search bar and under cookie it should say secure connection only
The long way is to right click, inspect source > click network tab > refresh page > filter by "cookie" and check the cookie "index.php".
There should be a tick under HTTP only and Secure for PHPSESSID.
Clear your browser cookies to see this on non-incognito mode.

6. For Currency and Language cookies, open upload/catalog/controller/startup/startup.php

7. Find

Code: Select all

setcookie('currency', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST']);
And Replace with

Code: Select all

setcookie('currency', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST'], true, true);
Find

Code: Select all

setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST']);
And Replace with

Code: Select all

setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST'], true, true);
8. Repeat step 5 and check to find HTTP and Secure flags ticked for the cookies currency and language.

OPTIONAL for APACHE server ONLY

Edit your main .htaccess where you installed opencart

Code: Select all

# 8. Set Secure Flag on eligible cookies
php_value session.cookie_secure 1
More security options to do:
SAMESITE cookies MUST be set up asap, read below.
viewtopic.php?f=64&t=217040&p=782859&hi ... te#p782859
https://translate.googleusercontent.com ... f_9fM6LpfA
https://translate.googleusercontent.com ... pL6EIiSxQg
Extra
https://www.freelancer.co.uk/projects/p ... -websites/
https://www.opencart.com/index.php?rout ... or%20Donev
Also consider adding a web app firewall like getastra.com

Newbie

Posts

Joined
Thu Jan 16, 2020 10:10 pm
Who is online

Users browsing this forum: No registered users and 25 guests