PCI Compliance, Apache / PHP

Posted on 2014-07-15
Last Modified: 2014-07-15
We're having an issue with PCI compliance on our webserver. Our compliance company is SecureWorks. Server is Ubuntu LTS 14.04

Here's the info:
QID: 86310
Severity: 3
Threat: Many Web sites support the idea of user sessions. Each user connecting to the site is issued a unique session ID, which is then used to identify all subsequent requests made by that user, either encoded in the URLs, or as a cookie. The server can then store data for each user session such as the state of a Web shopping cart. Session IDs are also often used to control access to sites requiring a login. Instead of sending the username/password with every request, the site issues a session ID after the user logs on, and the session ID identifies the user for the rest of the session.

Solution: This issue may be caused by the Web server, the Web application server or the Web application itself. ... Use strong cryptographic algorithms to generate random session IDS. ... Any meaningful data being used in session IDs should be one-way encrypted.

Session cookies are:
#1: Set-Cookie: analyt=236872466
#2: Set-Cookie: analyt=236872466
#3: Set-Cookie: analyt=236872466
#4: Set-Cookie: analyt=236872466
#5: Set-Cookie: analyt=236872466
Percentage of common characters among subsequent cookies: 100%

The session id is actually 103 characters long (sha512). Any clue on how to fix this?
Question by:sgcity

    Accepted Solution

    Tricky google search came up with this:

    It's a false positive. We'll report it as such.
    LVL 82

    Expert Comment

    by:Dave Baldwin
    Those don't look like PHP Session cookies to me.  Are you using your own 'session' code instead of PHP's built-in session code?  PHP session cookies / IDs are like "c4nu8engut3bd34c1f05v9ihi6" which is 27 characters.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Suggested Solutions

    Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
    If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
    The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now