views:

41

answers:

1

Hello there. I am attempting to obtain PCI compliance for my site but the Mcafee security scan has thrown a:

Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Channel

Drupal (default behavior) sets a session cookie when you simply arrive at the site. This is causing the problem. Clearly, the entire site shouldn't be under SSL; plenty of other sites set session cookies like this.

What gives?

A: 

What version of Drupal?

You might consider the Pressflow fork of Drupal, which backports some fixes from Drupal 7 to earlier versions. One of the notable ones is that it doesn't set a session cookie for anonymous users unless they actually need one. Assuming you don't need the cookies, you might be able to sidestep this whole problem.

Eli