Magento – Magento 2 – Cookies are not secure

magento2session

I was wondering if there is a setting for creating secure cookies on M2. I have a vulnerability check and it shown that cookies don't have "secure" tags.

Or do I need to override a core function?

Best Answer

This seems to be a persistent problem when a site gets scanned for PCI compliance. Issue seems to be going back quite a while: https://community.magento.com/t5/Technical-Issues/Need-suggestions-regarding-quot-Missing-Secure-Flag-From-SSL/td-p/19777

One hacky fix is suggested here: https://stackoverflow.com/questions/26792989/where-is-secure-tag-in-magento-cookie-on-ssl-secure-site

Related Solutions

Session Management – How Browser Cookies Are Affecting Our Live Site

Are you getting double cookies set? Bare Domain AND Subdomain? One for example.com and one for www.example.com?

I found on our site, we needed to do an .htaccess redirect to force everything to whichever was our choice for the website base server domain or we would run afoul of session hijack as the site would respond to one, set a cookie and immediately redirect to the other. Once cookies were double-set things came to grief.

Magento's settings for Cookie Path and domain did not alleviate it, even when correctly set.

Magento 2: Cookies Break Login on Subdomains

The cause of the whole issue seemed to be a cookie "PHPSESSID".

Whenever you view example.com it creates this cookie and when you go to business.example.com you cannot create this needed cookie as it cannot delete root domain cookies.

As a solution I created a script at example.com/unset_cookies.php which contained the following:

$past = time()-(24*60*60);

setcookie("PHPSESSID", "", $past);
setcookie("PHPSESSID", "", $past, '/', ".example.com");

Then on the login page for business.site.com I linked to this via iframe: app\design\frontend\Vendor\Wholesale\Magento_Customer\templates\form\login.phtml

<div class="block block-customer-login">
    <div class="block-title">
        <strong id="block-customer-login-heading" role="heading" aria-level="2"><?php /* @escapeNotVerified */ echo __('Registered Customers') ?></strong>
    </div>
    <div class="block-content" aria-labelledby="block-customer-login-heading">
        <form class="form form-login"
          ...
        </form>
        <div style="display: none;">
          <iframe style="width: 1px; height: 1px; display: none;" src="https://example.com/unset_cookies.php"></iframe>
        </div>
    </div>
</div>

This seemed to work for me.

Best Answer

Related Solutions

Session Management – How Browser Cookies Are Affecting Our Live Site

Magento 2: Cookies Break Login on Subdomains

Related Topic