Greetings,

I am using Multisites version 1.286 on our site. The component works really well. However, we ran a PCI scan on our sites last week and we got a fail on the three slave sites I have deployed. The master site was fine and passed the scan.

I tried uninstalling extensions etc, to see if there was some kind of conflict, but did not get anywhere. I also attempted to do a server configuration fix, as recommended by the scanning software. That did not work either. This is the message we are getting:

"The scanner found a Web application on the target that uses cookies. The application seems to use cookies (likely, session IDs) in an insecure way.
Specifically, the scanner created a web session with the target using a session ID specified by the scanner itself. The target application simply
started a new session with this specified session ID. This issue is generally called "session-fixation" and is vulnerable to session-hijacking attacks."

Again, we do not get this error on the master site when we do the scan, only the slave sites. Any ideas?

With JMS, you use the SAME joomla application.
The code is unique and therefore, I don't know what do you PCI (and also
what that mean).

This is inconsistent that you mentioned that for the master this is OK and for the slave site this is not OK. This is the same php code.


Sorry, but without detailled info on the PHP code that would be invalid and the recommendation to fix that, I don't see the reason of this PCI result.

Googleing, seems mention that PCI mean Payment Cart Industry