English (United Kingdom)
Jms Multi Site, formerly joomla multisite.
Create, share multiple joomla sites in few clicks !
Message
  • EU e-Privacy Directive

    This website uses cookies to manage authentication, navigation, and other functions. By using our website, you agree that we can place these types of cookies on your device.

    View e-Privacy Directive Documents

Welcome, Guest
Please Login or Register.    Lost Password?

MultiSites and Possible Session Fixation Error
(1 viewing) (1) Guest
Go to bottomPage: 1
TOPIC: MultiSites and Possible Session Fixation Error
#10893
MultiSites and Possible Session Fixation Error 12 Years, 1 Month ago Karma: 0
Greetings,

I am using Multisites version 1.286 on our site. The component works really well. However, we ran a PCI scan on our sites last week and we got a fail on the three slave sites I have deployed. The master site was fine and passed the scan.

I tried uninstalling extensions etc, to see if there was some kind of conflict, but did not get anywhere. I also attempted to do a server configuration fix, as recommended by the scanning software. That did not work either. This is the message we are getting:

"The scanner found a Web application on the target that uses cookies. The application seems to use cookies (likely, session IDs) in an insecure way.
Specifically, the scanner created a web session with the target using a session ID specified by the scanner itself. The target application simply
started a new session with this specified session ID. This issue is generally called "session-fixation" and is vulnerable to session-hijacking attacks."

Again, we do not get this error on the master site when we do the scan, only the slave sites. Any ideas?
rryan
Fresh Boarder
Posts: 1
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#10897
Re: MultiSites and Possible Session Fixation Error 12 Years, 1 Month ago Karma: 54
With JMS, you use the SAME joomla application.
The code is unique and therefore, I don't know what do you PCI (and also
what that mean).

This is inconsistent that you mentioned that for the master this is OK and for the slave site this is not OK. This is the same php code.


Sorry, but without detailled info on the PHP code that would be invalid and the recommendation to fix that, I don't see the reason of this PCI result.

Googleing, seems mention that PCI mean Payment Cart Industry
edwin2win
Moderator
Posts: 5370
graph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
Go to topPage: 1
get the latest posts directly to your desktop
2Win, Multisite(s) are trademarks of Edwin2Win.
Joomla