PCI Scan Failed Due to Cookies - Help!

I’ve had my server PCI scanned by McAfee Secure, and I have pretty much boiled down the problems to one issue. All the others can be resolved at the webhost level, but this one vulnerability is almost certainly CS-Cart’s fault. I’m pasting McAfee’s description below the dashed line. Does anyone know how to fix this? I am running CS-Cart 2.0.14. Does anyone know if 2.0.15 fixes this? Thanks in advance for replies and help.

------------------------ From McAfee Secure ---------------------------------

The remote host appears to have set a potentially sensitive persistent cookie across the internet in plain text.

An HTTP cookie is a piece of text-based data created by a website and sent to a web browser client and then sent back to the website without modification by the browser. The various uses for HTTP cookies include authentication, differentiation of users, maintaining data related to a user when they are viewing the website, maintaining a list of contents stored as when used by a shopping cart application, etc. In short, this is a way to identify a user by the computer they used to access the site as well as providing a way for the browser to keep the session in memory for subsequent visits as well as personalization based on the preference of a particular user. Using cookies allows browser and server to “maintain state”.

The cookie that was set by the server was flagged as being potentially sensitive. Potentially sensitive information could be session tokens, user id’s, or passwords.

The potentially sensitive cookie that was also sent over a non-encrypted channel. Using secure protocols to transmit cookies normally ensures a safe method of transmission. By sending cookies over non-secure channels, the cookie the potential to be “sniffed” over network traffic. This has become a much larger issue when you take into account how many people today use wireless hot spots and public terminals.

The cookie was also persistent. Persistent cookies are saved to the clients machine in a text file format. By doing this, the cookie can be used at a later time, even after the browser has been closed. Once the expires tag (a directive sent along with the cookie) has been reached, the cookie is then deleted from the client. Attackers can view this saved cookies even after the users browser has been closed. With the amount of public terminals that are being used today, and the information that is saved in these cookies, an attacker can gain a lot of information about the users of these systems.


OK thanks very much. I listed this as a false positive, and am now getting clean scans. Well, almost clean scans. I still have a couple of small issues, but both have very low scores and I am showing as PCI compliant by McAfee Secure.

This is all for the domain that my site is hosted on.

Does anyone know this: do I have to configure the IP address of my home/office internet connection to be scanned by McAfee as well? Some of the documentation I read seems to indicate that I should.