Guide - 7.8 Migration Secure Cookie Settings

Product Version

7.8

Product To Version

7.8
Statusfinal

1 Introduction

The 7.6 cookies' secure flag depends on the protocol used by the request that issues them. So HTTP requests will set non-secure cookies while HTTPS will set them to be secure. In other terms, cookies with a secure flag will only be delivered via HTTPS. This affects every feature of Intershop Commerce Suite that relies on cookies and those are:

  • Basket handling
  • Recently viewed items
  • A/B tests
  • User tracking cookie

2 Deprecation

The secure flag for above mentioned cookies could be configured as outlined in Cookbook - Cookie Handling.

Starting with ICM 7.6 the secure flag setting went deprecated. This means it is removed in Intershop Commerce Suite 7.8. Even if it exists in an old configuration file it will not be respected any longer. Instead the protocol that is used on any given page will dictate the cookie's secure status.

Intershop strongly encourages to use HTTPS even on pages that might not seem target of such security requirement.

2.1 User Interaction Required

In order to avoid erroneous working or broken features:

  1. Unify the protocol usage across all applications/shops.

    There is no easy way to do this. You have to identify the pages available in the shop and you must ensure they use the same protocol - either HTTP or HTTPS. As stated before using HTTPS is recommended. To do so you have to identify the pages and the the ISML templates that render those pages. Inside these templates you have to change the usage of URL and URLEX functions.

Since the ISML Function - url() is used in ISML templates to generate hyperlinks that use the same protocol as triggered by the pipeline there is nothing to do. This also means, if your project uses only the URL function there is nothing to do at all.

The ISML Function - urlex() function however has an additional parameter for protocol usage.

Unify the protocol usage

So if there are ISML templates rendering pages regarding the secure-cookie-related features, which use both URL and URLEX then you have two options:

  1. Change all usages of URL to URLEX.
  2. Ensure they use the correct protocol.

, or:

  1. Change all usages of URLEX to URL.

3 Force HTTPS

Albeit not necessary it is recommended to force HTTPS protocol across all pages. This way your web shop will always provide secure cookies and the traffic to and from the customer will be encrypted and thus more resistant against various types of attacks.

Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.

Customer Support
Knowledge Base
Product Resources
Tickets