Support

May 1, 2020 at 3:53 pm

Hi Susan,

Event Espresso actually needs the PHPSESSID session cookie. Without it, the registration process will not work.

May I ask what was the message from the PCI scan failure?

If the message was “Cookie Does Not Contain The “secure” Attribute” then you could contact your server administrator and ask them to follow this guide:

https://geekflare.com/httponly-secure-cookie-apache/

May 4, 2020 at 5:37 am

Hi Susan,

May I ask, which level of compliance are you working towards?

Which payment method are you using?

If your host is not prepared to implement changes to maintain PCI compliance then it’s more than likely you’ll need to switch hosts, even if you chose to move away from Event Espresso to use another e-commerce platform as the majority of steps you’ll need to take to be compliant are server-side and have very little to do with Event Espresso itself.

You could try adding:

ini_set('session.cookie_httponly',1);

to your sites wp-config.php file somewhere before the line /* That's all, stop editing! Happy blogging. */

Or, set it within your php.ini file using session.cookie_httponly = 1

Take a look here:
https://www.simonholywell.com/post/2013/05/improve-php-session-cookie-security/

May 4, 2020 at 7:08 am

If you load your site using Chrome and open up Chrome Dev Tools you can check if the change actually worked or not through that.

Open it up and go to the Network tab.

Refresh the browser to load all of the contents of the site whilst in dev mode.

Click on the first instance of your domain in the list and view cookies: https://monosnap.com/file/Qme3Zd4O3YK8tHSp3J08kHmdmSiEnJ

(Note I’ve blurred any identifying info in the screenshot as you haven’t posted your site here but I’m guessing you can tell if that’s your site from what is visible)

May 4, 2020 at 8:31 am

Should I remove that edit to the wp-config file?

Sounds like the code isn’t making a difference, so yes.

You could try adding this to the beginning of your .htaccess file:

php_flag session.cookie_httponly on

I also got this error message in my WP Dashboard after I made the wp-config file change.

Sounds like there is something else going on as that change wouldn’t de-activate the Auth.net accept add-on.

Remove the code from wp-config.php, re-activate the add-on and try the code above in .htaccess

May 4, 2020 at 9:35 am

The error message being the one with regards to the payment method de-activating?

If so, that’s a persistent notice and will stay until you dismiss it as its an important message. If you dismiss it and the notice instantly re-appears then there are other issues.

Accept uses an iframe method, as you know, and it presents itself in a box with a horizontal scrollbar. I don’t remember it looking like that prior to this point.

The code I gave you doesn’t change anything on the site, so it was likely like that prior to this unless you had some custom CSS on the site altering the output?

Is there a test event I can run a registration on to view this?

I wasn’t able to make your .htaccess idea work. I got a 500 error when I tried it.

You really need your host to set this up for you, but apparently they are unwilling to do so. To be honest, my advice would be to change hosts as I’m not sure how else you would work through this if they won’t.