Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Errors with XC5 Cookie settings when an XC5 store is HTTPS only
 
Reply
   X-Cart forums > X-Cart 5 > General questions (X-Cart 5)
 
Thread Tools Search this Thread
  #1  
Old 10-10-2017, 09:21 PM
 
Triple A Racing Triple A Racing is offline
 

X-Adept
  
Join Date: Jul 2008
Location: Manchester UK
Posts: 473
 

Default Errors with XC5 Cookie settings when an XC5 store is HTTPS only

All of our store setups are 100% https only and have been since day 1 with XC5. On the server side, this is via permanent SEO-safe 301 redirects from HTTP to HTTPS but also, the XC5 https://*.*/admin.php?target=https_settings page and Redirect customers to HTTPS flag is set to YES. All of this is fine, it works and there's no issues here. The small issue is the XC5 cookie setting...

If the Redirect customers to HTTPS flag is set to YES by Admin, then by default, the XC5 cookie should include a Secure flag designed to protect cookies against their accidental transmission over HTTP. Okay, it's technically impossible in our case, especially with HSTS in place too...but the lack of the Secure flag in the cookie is brought up as an error, on every single test site you may care to use. This is correct as it's contradictory in terms of setup flags.

This doesn't impede trading, but as far as we can see, this hasn't already been noticed / tested / added previously by XC so technically it's another very small bug, but moving forward positively, why can't this simply be added in the next XC5 upgrade? Especially as all other cookie directives have been comfortably met by XC5 already and have been for some time now (see below)
Quote:
Secure: All cookies must be set with the Secure flag, indicating that they should only be sent over HTTPS

HttpOnly: Cookies that don't require access from JavaScript should be set with the HttpOnly flag

Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly

Expires: Sets an absolute expiration date for a given cookie

Max-Age: Sets a relative expiration date for a given cookie (not supported by IE <

Domain: Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible

Path: Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory
__________________
Business XC 5.3.3.4 Live (+ Dev Stores For Testing)
Plesk 17.5.3 / CentOS 7.4.1708 / Nginx 1.12.1
RHEL 7 Apache 2.4.6 / MariaDB 10.1.28 / PHP 7.1.10
Reply With Quote
  #2  
Old 10-16-2017, 09:42 PM
  qualiteam's Avatar 
qualiteam qualiteam is offline
 

X-Guru
  
Join Date: Dec 2010
Posts: 5,673
 

Default Re: Errors with XC5 Cookie settings when an XC5 store is HTTPS only

I've forwarded this information to the XC5 dev team.
__________________
Alex Solovev,
Qualiteam

---

User manual Video tutorials X-Cart FAQ

You are welcome to press "Thanks" button
if you find this post useful

Click here to learn how to apply patches

X-Cart Extensions
Reply With Quote

The following user thanks qualiteam for this useful post:
Triple A Racing (Yesterday)
Reply
   X-Cart forums > X-Cart 5 > General questions (X-Cart 5)


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 10:39 AM.

   

 
X-Cart forums © 2001-2017