The 7.6 cookies' secure flag depends on the protocol used by the request that issues them. So HTTP requests will set non-secure cookies while HTTPS will set them to be secure. In other terms, cookies with a secure flag will only be delivered via HTTPS. This affects every feature of Intershop Commerce Suite that relies on cookies and those are:
The secure flag for above mentioned cookies could be configured as outlined in Cookbook - Cookie Handling.
Starting with ICM 7.6 the secure flag setting went deprecated. This means it is removed in Intershop Commerce Suite 7.8. Even if it exists in an old configuration file it will not be respected any longer. Instead the protocol that is used on any given page will dictate the cookie's secure status.
Intershop strongly encourages to use HTTPS even on pages that might not seem target of such security requirement.
In order to avoid erroneous working or broken features:
Unify the protocol usage across all applications/shops.
There is no easy way to do this. You have to identify the pages available in the shop and you must ensure they use the same protocol - either HTTP or HTTPS. As stated before using HTTPS is recommended. To do so you have to identify the pages and the the ISML templates that render those pages. Inside these templates you have to change the usage of URL
and URLEX
functions.
Since the ISML Function - url() is used in ISML templates to generate hyperlinks that use the same protocol as triggered by the pipeline there is nothing to do. This also means, if your project uses only the URL
function there is nothing to do at all.
The ISML Function - urlex() function however has an additional parameter for protocol usage.
Unify the protocol usage
So if there are ISML templates rendering pages regarding the secure-cookie-related features, which use both URL
and URLEX
then you have two options:
URL
to URLEX
., or:
URLEX
to URL.
Albeit not necessary it is recommended to force HTTPS protocol across all pages. This way your web shop will always provide secure cookies and the traffic to and from the customer will be encrypted and thus more resistant against various types of attacks.
The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.