View Issue Details

IDProjectCategoryView StatusLast Update
0005446OXID eShop (all versions)4.02. Session handlingpublic2018-03-02 15:50
Reporterhenrik.steffen Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status closedResolutionwon't fix 
Product Version4.7.8 / 5.0.8 
Summary0005446: Advanced security for session-cookies
DescriptionSecurity audits require that the "secure-flag" of cookies should always be set.

This would imply, the whole shop needs to be run on https:// - which is not viable.

Instead, the preferred solution would be to have two different cookies:

One just for the http-area of the web-shop, and another one for the https-area (using the httpOnly and secure flags)

TagsCookies, HTTPS, Security
ThemeAll
BrowserAll
PHP VersionNot defined
Database VersionNot defined

Relationships

related to 0002946 resolvedArunas Secure cookie causes session loss if user clicks a http link on a https without param force_sid 

Activities

svetlana

2014-03-28 10:00

reporter   ~0009704

waiting for the PO decision.

florian.auer

2015-05-04 14:07

reporter   ~0010931

Acknowledged

keywan.ghadami

2016-05-17 00:20

reporter   ~0011587

Last edited: 2016-08-10 12:52

A related pull request was merged:
https://github.com/OXID-eSales/oxideshop_ce/pull/360
if the shop is configured to be https only then cookies will have secure flag on And security audits should pass.

For security reasons it is not longer suggested to support http/https mix. So the whole shop must always run with https to be secure. I guess there is no more need to support secure flagged cookies in mixed mode - but if you like to do so be aware of problems we had with that in past like https://bugs.oxid-esales.com/view.php?id=2946.

So i think this ticket can be closed.