Support

Home Forums Event Espresso Premium PHPSESSID

PHPSESSID

Posted: May 1, 2020 at 3:21 pm


Susan Hayse

May 1, 2020 at 3:21 pm

I need to stop this PHPSESSID cookie from being set by EE. It’s causing me to fail my PCI Scan. I’m pretty sure that EE is the only plugin that’s responsible for this cookie.


Josh

  • Support Staff

May 1, 2020 at 3:53 pm

Hi Susan,

Event Espresso actually needs the PHPSESSID session cookie. Without it, the registration process will not work.

May I ask what was the message from the PCI scan failure?

If the message was “Cookie Does Not Contain The “secure” Attribute” then you could contact your server administrator and ask them to follow this guide:

https://geekflare.com/httponly-secure-cookie-apache/


Susan Hayse

May 2, 2020 at 6:12 am

Thanks, Josh. It’s this:

Non-HttpOnly Session Cookies Identified
Non-Secure Session Cookies Identified

So I think that’s what you’re referring to. I’ve already contacted my host company and they said:

“Unfortunately, due to management decisions, we are no longer supporting PCI compliance on our servers. We removed all advertisements for the PCI compliance and I am afraid it will not be possible to apply such customization to the server setup.

As you are probably aware, we are in the middle of software transition. We are changing from cPanel to our own custom in-house site management tool called Site Tools. We currently postpone any form of custom setups such as the PCI compliance for our servers because the modifications might not work properly on the new setup.”

Is it possible to remedy this if I alter my php.ini file instead?

This is sort of a big deal because if the host won’t alter anything for us, we’ll have to leave the host or leave EE. 🙁


Tony

  • Support Staff

May 4, 2020 at 5:37 am

Hi Susan,

May I ask, which level of compliance are you working towards?

Which payment method are you using?

If your host is not prepared to implement changes to maintain PCI compliance then it’s more than likely you’ll need to switch hosts, even if you chose to move away from Event Espresso to use another e-commerce platform as the majority of steps you’ll need to take to be compliant are server-side and have very little to do with Event Espresso itself.

You could try adding:

ini_set('session.cookie_httponly',1);

to your sites wp-config.php file somewhere before the line /* That's all, stop editing! Happy blogging. */

Or, set it within your php.ini file using session.cookie_httponly = 1

Take a look here:
https://www.simonholywell.com/post/2013/05/improve-php-session-cookie-security/


Susan Hayse

May 4, 2020 at 6:59 am

Thanks, Tony. I’ll try the wp-config suggestion and see if I can pass.

I believe we’re Level 4 compliance – not that many transactions.

We host with SiteGround
Our gateway is Authorize.net
Our processor is Wells Fargo – Trustwave is Wells Fargo’s requirement for businesses that process credit cards through POS devices and websites, so we must use them.


Tony

  • Support Staff

May 4, 2020 at 7:08 am

If you load your site using Chrome and open up Chrome Dev Tools you can check if the change actually worked or not through that.

Open it up and go to the Network tab.

Refresh the browser to load all of the contents of the site whilst in dev mode.

Click on the first instance of your domain in the list and view cookies: https://monosnap.com/file/Qme3Zd4O3YK8tHSp3J08kHmdmSiEnJ

(Note I’ve blurred any identifying info in the screenshot as you haven’t posted your site here but I’m guessing you can tell if that’s your site from what is visible)


Tony

  • Support Staff

May 4, 2020 at 7:32 am

Also, as your using Auth.net Accept are you are working through SAQ-A currently?


Susan Hayse

May 4, 2020 at 8:11 am

I can see the cookie is still loading – I already made the update to our wp-config file, per your instructions, then checked the cookie and rescheduled the scan. We are still failing the scan, despite the change.

I also got this error message in my WP Dashboard after I made the wp-config file change.

The payment method Authorize.net Accept was automatically deactivated because it appears its associated Event Espresso Addon was recently deactivated.
It can be reactivated on the Plugins admin page, then you can reactivate the payment method.

Should I remove that edit to the wp-config file?


Susan Hayse

May 4, 2020 at 8:21 am

Also, as your using Auth.net Accept are you are working through SAQ-A currently?

As far as SAQ-A, I don’t know but I assume so.


Tony

  • Support Staff

May 4, 2020 at 8:31 am

Should I remove that edit to the wp-config file?

Sounds like the code isn’t making a difference, so yes.

You could try adding this to the beginning of your .htaccess file:

php_flag session.cookie_httponly on

I also got this error message in my WP Dashboard after I made the wp-config file change.

Sounds like there is something else going on as that change wouldn’t de-activate the Auth.net accept add-on.

Remove the code from wp-config.php, re-activate the add-on and try the code above in .htaccess


Susan Hayse

May 4, 2020 at 9:11 am

I’ve reactivated the Auth.net Accept payment method but the error message persists. Accept uses an iframe method, as you know, and it presents itself in a box with a horizontal scrollbar. I don’t remember it looking like that prior to this point.

I wasn’t able to make your .htaccess idea work. I got a 500 error when I tried it.

Thanks for trying to solve this for me. If you can offer any advice about the error message for the Accept plugin, let me know.


Tony

  • Support Staff

May 4, 2020 at 9:35 am

The error message being the one with regards to the payment method de-activating?

If so, that’s a persistent notice and will stay until you dismiss it as its an important message. If you dismiss it and the notice instantly re-appears then there are other issues.

Accept uses an iframe method, as you know, and it presents itself in a box with a horizontal scrollbar. I don’t remember it looking like that prior to this point.

The code I gave you doesn’t change anything on the site, so it was likely like that prior to this unless you had some custom CSS on the site altering the output?

Is there a test event I can run a registration on to view this?

I wasn’t able to make your .htaccess idea work. I got a 500 error when I tried it.

You really need your host to set this up for you, but apparently they are unwilling to do so. To be honest, my advice would be to change hosts as I’m not sure how else you would work through this if they won’t.


Susan Hayse

May 4, 2020 at 9:41 am

Thanks again – really appreciate the help!


Susan Hayse

May 4, 2020 at 12:56 pm

Tony, I wanted to let you know that these lines, added to my php.ini file did the trick. I was able to pass the Trustwave PCI scan.

session.cookie_httponly = 1
session.use_only_cookies = 1
session.cookie_secure = 1

You must be logged in to reply to this support post. Sign In or Register for an Account

Support forum for Event Espresso 3 and Event Espresso 4.
Documentation for EE3 and EE4
Documentation for Event Espresso 3 Documentation for Event Espresso 4

Status: publish

Updated by  Susan Hayse 3 weeks, 1 day ago ago

Topic Tags

Tagged: ,

Notifications

This topic is: resolved
Do NOT follow this link or you will be banned from the site!