Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Channel

I get the following from McAfee Secure. I did not get this vulnerability when I was using 1.3.5. I am currently using 2.10.

Any suggestions on how to fix this? (Below is the explanition from McAfee)

The remote host appears to have set a potentially sensitive persistent cookie across the internet in plain text.

An HTTP cookie is a piece of text-based data created by a website and sent to a web browser client and then sent back to the website without modification by the browser. The various uses for HTTP cookies include authentication, differentiation of users, maintaining data related to a user when they are viewing the website, maintaining a list of contents stored as when used by a shopping cart application, etc. In short, this is a way to identify a user by the computer they used to access the site as well as providing a way for the browser to keep the session in memory for subsequent visits as well as personalization based on the preference of a particular user. Using cookies allows browser and server to “maintain state”.

The cookie that was set by the server was flagged as being potentially sensitive. Potentially sensitive information could be session tokens, user id’s, or passwords.

The potentially sensitive cookie that was also sent over a non-encrypted channel. Using secure protocols to transmit cookies normally ensures a safe method of transmission. By sending cookies over non-secure channels, the cookie the potential to be “sniffed” over network traffic. This has become a much larger issue when you take into account how many people today use wireless hot spots and public terminals.

The cookie was also persistent. Persistent cookies are saved to the clients machine in a text file format. By doing this, the cookie can be used at a later time, even after the browser has been closed. Once the expires tag (a directive sent along with the cookie) has been reached, the cookie is then deleted from the client. Attackers can view this saved cookies even after the users browser has been closed. With the amount of public terminals that are being used today, and the information that is saved in these cookies, an attacker can gain a lot of information about the users of these systems.

General Solution:

Verify the business need pertaining to the cookie. You should identify and answer ALL of the following questions:

Does the client need to send potentially sensitive information back and forth to the server?

In some cases their is a business need to do this, such as maintaining the user’s session. If this is the case, verify that the data in the cookie is encrypted.

Why is a sensitive cookie being sent over an insecure channel?

If this is a session cookie there is NO VALID REASON that this cookie is sent over an insecure channel. This cookie and potentially the entire site needs to be encrypted end-to-end using SSL.

Does the cookie need to be persistent (saved on the clients machine)?

Potentially sensitive cookies should never be saved to a clients machine. Verify the business case of why this is currently being done.

This has been reported and acknowledged in the Bug Tracker without any comment from the developers:



Thanks for the info.

When I was searching the forum “Persistent Cookie” I did not find this.

I am sure that others that have CS-CART are using McAfee Secure. Does anyone else have this problem OR what can be done as a work around? I am not PCI complient without a change to this.

Just wondering if this was ever resolved? We’re looking at McAfee Secure for 2 of our stores.

Nope - I still get the failure from McAfee.

Has there been a solution to this issue. I use McAfee Secure to scan my website and get this error too “Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Channel” This raises problems with PCI compliance and if there is a solution I would like to know what it is.

You just need to let McAfee know that no sensitive information is being submitted in the cookie and they will pass the exception. I contacted CS-Cart about this and received the following reply:

Please note that there is no sensitive information stored in the session cookies. The information stored in the session cookies contains the session’s ID and some settings only. Thank you.

Sincerely yours

Pavel Zyukin,

Technical support engineer

You might consider running your entire store over SSL. This will resolve the issue.

[quote name=‘grayloon’]You might consider running your entire store over SSL. This will resolve the issue.[/QUOTE]

And uses double (or more) of the bandwidth for conveying the same information.