Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
QUESTION How to add $cookie_secure?
#1
I use getsimple for most things (because it's great to work with), however I've had an alert from The 'National Cyber Security Centre' flagging a warning about possible 'Permissive Cross Origin Resource Sharing policy'.

Wanted to pick a few peoples brains. 

I was initially thinking that because the secure flag was not seen to be set in google chrome's inspector that it wasn't set at all. 

I've tried setting the $cookie_secure variable to true within cookie_function.php (located in admin/inc) but it doesn't work.


Any ideas?

Many thanks
Reply
#2
Give us more information:

First of all:
can you repeat this message popup ?

Second:
Where did this message popup
What windows were open during the message popup
http https ?
What browser are you using
Reply
#3
(2020-10-30, 00:41:11)Felix Wrote: Give us more information:

First of all:
can you repeat this message popup ?

Second:
Where did this message popup
What windows were open during the message popup
http https ?
What browser are you using

Hi Felix, the message isn't on screen it's generated online by an organisation who evaluate the website (which I can't disclose for security reasons) and then I read their notices. The website uses HTTPS

I noticed that the GS cookie GS_ADMIN_USERNAME  already has a setting of http_only but not secure

I need to add secure as I think it may resolve the issue and close the cors problem.

I looked in the configuration.php but changing the setting for $cookie_secure to TRUE, didn't work.

Code:
// cookie config
$cookie_name        = lowercase($name_url_clean) .'_cookie_'. $ver_no_clean; // non-hashed name of cookie
$cookie_login       = 'index.php'; // login redirect
$cookie_time        = '10800';     // in seconds, 3 hours
$cookie_path        = '/';         // cookie path
$cookie_domain      = null;        // cookie domain
$cookie_secure      = null;        // cookie secure only
$cookie_httponly    = true;        // cookie http only


Thanks
Reply
#4
What plugins are you using ?

Try to disable all your plugins, one by one,
and each time you disable a plugin,
check that message again
Reply
#5
Try this scanner to find a solution:
https://portswigger.net/burp/vulnerability-scanner

They have a free trial:
https://portswigger.net/burp/pro/trial
Reply
#6
Did you develop your site locally and so might have any left over http urls that you forgot to change to https ?
Any MaxCDN on http ? If using Webfonts from Google, Typekit, etc. try to disable them and check again.
Reply
#7
(2020-10-30, 02:00:19)Felix Wrote: Did you develop your site locally and so might have any left over http urls that you forgot to change to https ?
Any MaxCDN on http ? If using Webfonts from Google, Typekit, etc. try to disable them and check again.

Will do. Thanks Felix

Much appreciated

Craig
Reply




Users browsing this thread: 1 Guest(s)