@cundd opened this Issue on December 23rd 2019 Contributor

The test-cookie is not explicitly set as "secure". This generates a warning with our PCI Security Scan.

THREAT:
The cookie does not contain the "secure" attribute.
IMPACT:
Cookies with the "secure" attribute are only permitted to be sent via HTTPS. Cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account.
SOLUTION:
If the associated risk of a compromised account is high, apply the "secure" attribute to cookies and force all sensitive requests to be sent via HTTPS.
RESULT:
1GEThttps://domain.comSG9ovKg0K_pk_testcookie.11.e5c9=1; path=/; domain=domain.com

A possible fix could be to pass configCookieIsSecure to the setCookie() function.

@@ -3925,7 +3925,7 @@ if (typeof window.Piwik !== 'object') {

                 // for IE we want to actually set the cookie to avoid trigger a warning eg in IE see <a href='/11507'>#11507</a>
                 var testCookieName = configCookieNamePrefix + 'testcookie';
-                               setCookie(testCookieName, '1');
+                setCookie(testCookieName, '1', undefined, configCookiePath, configCookieDomain, configCookieIsSecure);

Is this a viable solution? Should I send a PR?

@tsteur commented on December 23rd 2019 Member

@cundd be great. You probably want to respect the configCookieIsSecure setting when setting the cookie within the hasCookies method.

@cundd commented on January 15th 2020 Contributor

Should be fixed

This Issue was closed on January 15th 2020
Powered by GitHub Issue Mirror