Enable secure_cookies (httpOnly flag) in CS-Cart or Multi-Vendor¶

What is the cookie httpOnly flag and why it is needed¶

httpOnly is an additional flag for the HTTP header Set-Cookie, which indicates that Cookie data cannot be read/written by JavaScript, hence the name: Cookies are only available via HTTP protocol. Using httpOnly allows web developers to set their security policy regarding access to cookies from the browser environment, which is supposed to help fight cookie theft through XSS (HTML code injection) attacks. And while it is possible to bypass httpOnly restrictions, it will make it much harder for attackers to get the admin and vendor sessions of the project.

How to enable httpOnly in CS-Cart¶

1. You need SSH/sFTP/FTP access to the project server because you will need to change the file config.local.php in the project directory.
2. After you open the file config.local.php, find there tweak secure_cookies.

   This tweak appeared since CS-Cart version 4.12.1, and if you do not have it - please get in touch with CS-Cart developers or technical support for help).

3. Check the value; if there is false, replace it with true. Note that the entry should look like 'secure_cookies' => true, and there should be no additional quotes around true.

P.S. All users will be log out, also, all abandoned carts will lost because cookies will be re-generated to the new one -- secure ones.