Secure Cookies?

[cwp +]

I'm trying to get my website PCI Compliant.. (It's a struggle)

Is there a way to secure the cookies in 68classifieds? I know nothing about setting cookies in web applications.

Also if anyone knows of any other other scan software that will get you pci compliant much easier than Mcaffe's Hacker Safe I'm up for it.. Most of all the things that it points out I can't fix myself.

I was notified of this from hacker safe:

Missing Secure Attribute in an Encrypted Session (SSL) Cookie

Port First Detected Category
443 22-MAY-2008 00:24 Web Application
Protocol Fix Difficulty Impact
HTTPS Medium Information Disclosure
Description
The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack.
Solution
It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them.
Detail

Path: /userjoin.php --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=36c9f1f8038cfb565007e11df9e8174b; path=/
Path: /userjoin --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=f27c3d4b2ebde69c99a70d419eb0edcf; path=/
Path: sawmill --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=2d390141b3e9bb5c14d3a5c787a1936a; path=/
Path: index.fts --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=b0201d953698dd22c5455f73c51152c2; path=/
Path: %2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/boot.ini --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=cfdee9116f0a3130ccc2a571c32f374e; path=/
Path: ..\..\..\..\..\..\boot.ini --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=8b67735138da5b5f747d6695fd2ffd58; path=/
Path: ../../../../../../boot.ini --> No "Secure" Attribute on Secure Channel (https) : PHPSESSID=237d38cac04ec23fb187fb1cee96f365; path=/
Path: /page/usercheckout --> No "Secure" Attribute on Secure Channel (https) : classLogin=deleted; expires=Wed, 23-May-2007 06:28:38 GMT; path=/
Path: /page/usercheckout --> No "Secure" Attribute on Secure Channel (https) : classLogin=deleted; expires=Wed, 23-May-2007 06:28:45 GMT; path=/
Links
IPA セキュリティセンター
RFC 2109 - HTTP State Management Mechanism
Persistent Client State HTTP Cookies
Related
None


Potentially Sensitive Information Missing Secure Attribute in an Encrypted Session (SSL) Cookie

Port First Detected Category
443 22-MAY-2008 00:24 Web Application
Protocol Fix Difficulty Impact
HTTP Medium Information Disclosure
Description
The application sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack. The information that was sent was flagged as being potentially sensitive. Potentially sensitive information could be session tokens, user id's, or passwords.
Solution
It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them.
Detail

Path: /userjoin --> Sensitive Info on secure Channel (https) without "Secure" Attribute : PHPSESSID=f27c3d4b2ebde69c99a70d419eb0edcf; path=/
Path: index.fts --> Sensitive Info on secure Channel (https) without "Secure" Attribute : PHPSESSID=b0201d953698dd22c5455f73c51152c2; path=/
Path: ..\..\..\..\..\..\boot.ini --> Sensitive Info on secure Channel (https) without "Secure" Attribute : PHPSESSID=8b67735138da5b5f747d6695fd2ffd58; path=/
Path: /page/usercheckout --> Sensitive Info on secure Channel (https) without "Secure" Attribute : classLogin=deleted; expires=Wed, 23-May-2007 06:28:38 GMT; path=/
Links
Persistent Client State HTTP Cookies
RFC 2109 - HTTP State Management Mechanism
Related
Other No References Available

[Lhotch +]

When setting a cookie in the code you specify if its supposed to be secure or not. By default its not and if its set to be secure and there isnt a secure connection the cookie wont be set.

What would need to be done is the function used for setting the cookie would first need to check for a secure connection, if secure use setcookie with secure flag, otherwise use standard setcookie.

[cwp +]

Quote:

Originally Posted by Lhotch

When setting a cookie in the code you specify if its supposed to be secure or not. By default its not and if its set to be secure and there isnt a secure connection the cookie wont be set.

What would need to be done is the function used for setting the cookie would first need to check for a secure connection, if secure use setcookie with secure flag, otherwise use standard setcookie.

Thanks, do you happen to know where cookies are set at (which page)? I know nothing about cookies, or even how they're set within code.

[Eric Barnes +]

Cookies are set in includes/classes/kernel/Login.php

Keep in mind if a cookie set as secure and they visit your site without using ssl then I do not believe it will be able to read the cookie.

[cwp +]

Quote:

Originally Posted by suzkaw

Cookies are set in includes/classes/kernel/Login.php

Keep in mind if a cookie set as secure and they visit your site without using ssl then I do not believe it will be able to read the cookie.

Thanks, I think I'm just going to forget about being "pci compliant". They want you to do the impossible.