PCI Compliance, Apache / PHP
Posted on 2014-07-15
We're having an issue with PCI compliance on our webserver. Our compliance company is SecureWorks. Server is Ubuntu LTS 14.04
Here's the info:
Threat: Many Web sites support the idea of user sessions. Each user connecting to the site is issued a unique session ID, which is then used to identify all subsequent requests made by that user, either encoded in the URLs, or as a cookie. The server can then store data for each user session such as the state of a Web shopping cart. Session IDs are also often used to control access to sites requiring a login. Instead of sending the username/password with every request, the site issues a session ID after the user logs on, and the session ID identifies the user for the rest of the session.
Solution: This issue may be caused by the Web server, the Web application server or the Web application itself. ... Use strong cryptographic algorithms to generate random session IDS. ... Any meaningful data being used in session IDs should be one-way encrypted.
Session cookies are:
#1: Set-Cookie: analyt=236872466
#2: Set-Cookie: analyt=236872466
#3: Set-Cookie: analyt=236872466
#4: Set-Cookie: analyt=236872466
#5: Set-Cookie: analyt=236872466
Percentage of common characters among subsequent cookies: 100%
The session id is actually 103 characters long (sha512). Any clue on how to fix this?