Hi,
Before I start fiddling with phpMyFAQ script I thought I ask if there has already been a developed measure in place to set 'httpOnly' agaist pmf_sid cookie, at all?
Idally, it would be interesting to see if one can set 'httpOnly' and 'Secure' all toghether.
Please note, our php.ini has already working flags (which show up on other cookies), yet these are not being picked up by pmf_sid.
I'd appreciate your thoughts on this.
Thank you
Session Cookie (pmf_sid) PCI compliance
Moderator: Thorsten
Re: Session Cookie (pmf_sid) PCI compliance
Hi,
I tried httpOnly cookies some years ago and they worked on most user scenarios.
bye
Thorsten
I tried httpOnly cookies some years ago and they worked on most user scenarios.
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Re: Session Cookie (pmf_sid) PCI compliance
Our security dep pushed me on this issue:
The cookie is not controlled via php.ini, but depending on phpMyFAQ.
I have modified the setCookie function in the file inc\PMF\session.php:
My questions are
1. How to make this working for systems with ttp as well (the last 3 items shall not be used).
2. How to use the function getDefaultUrl?
The cookie is not controlled via php.ini, but depending on phpMyFAQ.
I have modified the setCookie function in the file inc\PMF\session.php:
Code: Select all
public static function setCookie($name, $sessionId = '', $timeout = PMF_SESSION_EXPIRED_TIME)
{
return setcookie(
$name,
$sessionId,
$_SERVER['REQUEST_TIME'] + $timeout,
dirname($_SERVER['SCRIPT_NAME']),
"myFAQURL",
true,
true
);
}
1. How to make this working for systems with ttp as well (the last 3 items shall not be used).
2. How to use the function getDefaultUrl?
Re: Session Cookie (pmf_sid) PCI compliance
Hi Jochen,
1) can by configured by phpMyFAQ itself as it detects HTTP or HTTPS
2) I can add this in 2.10 if you like
bye
Thorsten
1) can by configured by phpMyFAQ itself as it detects HTTP or HTTPS
2) I can add this in 2.10 if you like
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Re: Session Cookie (pmf_sid) PCI compliance
Thanks this would be great. I have added an item in github:
https://github.com/thorsten/phpMyFAQ/issues/1349
https://github.com/thorsten/phpMyFAQ/issues/1349