where is 'secure' tag in Magento cookie on SSL secure site?

Question

Our site is SSL secured site, and Magento 'secure' and 'unsecure' URL variables both point at https:// URL. However PCI audit indicated that cookies are unsecure. They want to see the 'secure' keyword when cookies are created via Set-Cookie in page header.

I see Magento uses this function in \shop\app\code\core\Mage\Core\Model\Cookie.php

if (is_null($secure)) {
            $secure = $this->isSecure();
        }
        if (is_null($httponly)) {
            $httponly = $this->getHttponly();
        }

        setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);

but I am not sure where value is isSecure() is coming from and why does not contain text 'secure'?

SetCookie in page header:

frontend=sj4j9kltv7nc00gk8s0i81koi3; expires=Thu, 06-Nov-2014 23:39:11 GMT; 
path=/; domain=www.mydomaine.com; HttpOnly"

kuba_ceg kuba_ceg · Accepted Answer · 2014-11-13T09:51:13

Magento set secure cookies for admin only, try to install http://www.magentocommerce.com/magento-connect/secure-frontend-cookie.html module, it should help :)

If it does not help help just override isSecure from Mage_Core_Model_Cookie model, method:

public function isSecure()
{ 
    return $this->_getRequest()->isSecure(); 
}

where is 'secure' tag in Magento cookie on SSL secure site?

1 Answers