Expand my Community achievements bar.

PCI Failures Due to Cookies

Avatar

Level 5
Level 5
8/28/24 7:00:19 AM

Hello,

 

We have hit PCI issues due to Adobe Cookies and are unsure how to move forward correcting them. They appear to all be Analytics related and we have set the 'Only Write Secure Cookies' option in the Analytics Plug In.

 

Here are the ones that were called out by the scan:

Cookie Does Not Contain the "HTTPOnly" Attribute:

  • sc_previousPageName=(referring page)
  • intCmpCode=(URL Parameter)
  • s_evar94=(page title)
  • s_evar101=(URL Parameter)

Cookie Does Not Contain the "Secure" Attribute:

  • test=cookie
  • TEST_AMCV_COOKIE=T

We believe that the ones missing the 'Secure' attribute come from the VisitorAPI.js, but we don't know how to update or disable it. There was another post here asking to do so but there wasn't resolution unfortunately. 

 

The evar ones appear to be generated from the Adobe Analytics Plug-Ins, such as 'getPreviousValue' and 'getValOnce' - but Adobe notes that these are not supported by standard support.

 

Obviously PCI compliance is of utmost importance, so we're hoping that others have encountered this and found ways to resolve the issues, any suggestions or advice is greatly appreciated.

 

Thank you!

Robbie

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Analytics

Views

274

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
3 Replies

Avatar

Community Advisor and Adobe Champion
Community Advisor and Adobe Champion
8/28/24 12:44:40 PM

Hi, on your Experience Cloud ID Service extension, you should be able to set secure cookies with this:

 

Jennifer_Dungan_0-1724873822553.png

 

 

The other cookies as you mentioned are coming from Adobe plugin code (getPreviousValue and getValOnce, etc). I don't use a lot of the Adobe plugins, but I don't believe those could ever be set to HTTPOnly because by definition, that is a cookie that is set by the server, and only allows the server to manipulate it... and anything you set with a plugin wouldn't comply...

 

 

However, there may be alternate available to you...

 

Activity Map will track the "previous page name" in Activity Map Page (and I believe this uses session storage, not cookies - and shouldn't have the security issue); and as for "getValOnce", you can create a segment using "Non Repeating Instance" to essentially get the same thing.

https://experienceleague.adobe.com/en/docs/analytics/components/segmentation/segmentation-workflow/s...

Views

237

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 5
Level 5
8/28/24 1:24:25 PM
In response to Jennifer_Dungan

Thank you @Jennifer_Dungan ! We'll be updating the Experience Cloud ID extension right away, we didn't know about that one.

 

Interesting idea with the Activity Map! We'll work with some of our super users to see if that can work. 

 

Great ideas, thanks for chiming in!

Views

229

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor and Adobe Champion
Community Advisor and Adobe Champion
8/28/24 1:27:30 PM
In response to robertc66522596

You're welcome. I hope you can get what you need with some work-arounds!

Views

225

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
How to only include certain hits in a visit? Solved

Views

109

Likes

0

Replies

3
Unable to Download Data from Dimensions Section Due to Error Solved

Views

685

Likes

0

Replies

10
SQL query to read Array values of a Order Value column Solved

Views

115

Likes

0

Replies

1
New vs. Return Visitors to a Specific Page

Views

147

Likes

0

Replies

3
How to efficiently/easily calculate statistical significance/confidence in adobe analytics workspace

Views

124

Likes

0

Replies

1