View Issue Details

Jump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0002946OXID eShop (all versions)4.02. Session handlingpublic2011-06-01 12:312011-06-29 17:18
Reportermark Assigned To 
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Fixed in Version4.5.1 revision 38045 
Summary0002946: Secure cookie causes session loss if user clicks a http link on a https without param force_sid
DescriptionOXID changed the session cookie to a secure cookie (by version 4.4.8). Due to security issues this may be correct, but it causes another problem.

Just add an article to you your cart, go to checkout on https and open the mini-basket. The link to the first item in your basket doesn't have a force_sid param. If you click it, the session is lost!

Sometimes you can't avoid http links on a https page, which have no force_sid param (e.g. some bugs with oxConfig/isSsl() or just cms-content with absolute links). OXID should make the flag "secure" optional (checkbox in admin).
Steps To ReproduceAdd an article to you your cart, go to checkout on https and open the mini-basket. The link to the first item in your basket doesn't have a force_sid param. If you click it, the session is lost!
Additional Informationcore/oxutilsserver.php

function setOxCookie

CHANGE

return setcookie(
            $sName,
            $sValue,
            $iExpire,
            $this->_getCookiePath( $sPath ),
            $this->_getCookieDomain( $sDomain ),
            oxConfig::getInstance()->isSsl(),
            true
        );

to

return setcookie(
            $sName,
            $sValue,
            $iExpire,
            $this->_getCookiePath( $sPath ),
            $this->_getCookieDomain( $sDomain ),
            oxConfig::getInstance()->getConfigParam( 'blCookieSecure' )?oxConfig::getInstance()->isSsl():false,
            true
        );
TagsNo tags attached.
ThemeBoth
BrowserAll
PHP Versionany
Database Versionany

Relationships

related to 0002939 resolvedArunas usage without cookies impossible 
related to 0002917 resolvedArunas Session gets lost when clicking on products in right side Minibasket during SSL-checkout 
related to 0005446 closedflorian.auer Advanced security for session-cookies 

Activities

leofonic

2011-06-01 18:52

reporter   ~0004671

This maybe a problem in minibasket code i described here: https://bugs.oxid-esales.com/view.php?id=2917
You could try whether the same links work OK in the real basket.

Arunas

2011-06-29 17:18

reporter   ~0004793

fixed, is actually related to https://bugs.oxid-esales.com/view.php?id=2917