PCI Compliance and sid_customer cookie

I ran McAfee security compliance scan on my server. There are issues with the sid_customer cookie.

First, the entire store has to be under SSL in order to be PCI Compliant as the sid_customer is considered sensitive information and it should not be possible to intercept it. I believe the buyer’s name and address gets auto-populated from the customer ID so intercepting that cookie would allow a hacker to get all the auto-populated fields during check-out. Making the entire store SSL-protected is not the default option, and there aren’t even options to set it up that way from the admin panel. We had to configure it in another way.

There, there are also alerts related to that cookie, although these are Level 1 alerts that do not prevent me from being PCI Compliant.

Issue #1: Sensitive Cookie Missing ‘HTTPONLY’ Attribute

[color=#424549]The application does not utilize HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the “HttpOnly” flag to be accessed via client-side scripts.[/color]

[color=#424549]An attacker can easily steal a user’s session if the attacker is able to manipulate the JavaScript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS).[/color]

Issue #2: Missing Secure Attribute in an Encrypted Session (SSL) Cookie

[color=#424549]The application sets a cookie over a secure channel without using the “secure” attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack.[/color]

Issue #3: Potentially Sensitive Persistent Cookie Used By Domain

[color=#424549]A persistent cookie, that could potentially be sensitive, has been found being used by your site. Potentially sensitive information could be session tokens, user id’s, or passwords. [/color]

[color=#424549]Persistent cookies are saved to the clients machine in a text file format. By doing this, the cookie can be used at a later time, even after the browser has been closed. Once the expires tag (a directive sent along with the cookie) has been reached, the cookie is then deleted from the client.[/color]

[color=#424549]Attackers can view these saved cookies even after the user’s browser has been closed. With the amount of public terminals that are being used today, and the information that is saved in these cookies, an attacker can gain a lot of information about the users of these systems.[/color]

These alerts are not a big deal as long as the entire store is secured by SSL. But still, the way this cookie is handled could definitely be improved, by at least adding HTTPONLY and SECURE attributes.