molotovbliss · December 21, 2016 21:20 · avoelkl · Jun 28, 2017 · cfgalvani · Jul 20, 2018
diff --git a/patch-7136 b/patch-7136
 Sauce: https://community.magento.com/t5/Technical-Issues/Cookies-frontend-cid-is-never-renewed-compared-to-frontend-one/td-p/41077

 The core code seems to have forgotten to include the logic to renew the frontend_cid cookie.
 
 I have contacted Magento support regarding this and they provided me a patch - SUPEE-7136, however I'm not seeing it published online anywhere...
 
 The issue lies in this file:
 app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
 
 What the patch does is replace this:
        if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) {
            // secure cookie check to prevent MITM attack
            $secureCookieName = $sessionName . '_cid';
            if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])
                && $_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName))
            ) {
                session_regenerate_id(false);
                $sessionHosts = $this->getSessionHosts();
                $currentCookieDomain = $cookie->getDomain();
                foreach (array_keys($sessionHosts) as $host) {
                    // Delete cookies with the same name for parent domains
                    if (strpos($currentCookieDomain, $host) > 0) {
                        $cookie->delete($this->getSessionName(), null, $host);
                    }
                }
                $_SESSION = array();
            }
            if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
                $checkId = Mage::helper('core')->getRandomString(16);
                $cookie->set($secureCookieName, $checkId, null, null, null, true);
                $_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId);
            }
        }
 with this:
        if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) {
            // secure cookie check to prevent MITM attack
            $secureCookieName = $sessionName . '_cid';
            if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
                if ($_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName))) {
                    session_regenerate_id(false);
                    $sessionHosts = $this->getSessionHosts();
                    $currentCookieDomain = $cookie->getDomain();
                    foreach (array_keys($sessionHosts) as $host) {
                        // Delete cookies with the same name for parent domains
                        if (strpos($currentCookieDomain, $host) > 0) {
                            $cookie->delete($this->getSessionName(), null, $host);
                        }
                    }
                    $_SESSION = array();
                } else {
                    /**
                     * Renew secure cookie expiration time if secure id did not change
                     */
                    $cookie->renew($secureCookieName, null, null, null, true, null);
                }
            }
            if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
                $checkId = Mage::helper('core')->getRandomString(16);
                $cookie->set($secureCookieName, $checkId, null, null, null, true);
                $_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId);
            }
        }
	Sauce: https://community.magento.com/t5/Technical-Issues/Cookies-frontend-cid-is-never-renewed-compared-to-frontend-one/td-p/41077

	The core code seems to have forgotten to include the logic to renew the frontend_cid cookie.

	I have contacted Magento support regarding this and they provided me a patch - SUPEE-7136, however I'm not seeing it published online anywhere...

	The issue lies in this file:
	app/code/core/Mage/Core/Model/Session/Abstract/Varien.php

	What the patch does is replace this:
	if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) {
	// secure cookie check to prevent MITM attack
	$secureCookieName = $sessionName . '_cid';
	if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])
	&& $_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName))
	) {
	session_regenerate_id(false);
	$sessionHosts = $this->getSessionHosts();
	$currentCookieDomain = $cookie->getDomain();
	foreach (array_keys($sessionHosts) as $host) {
	// Delete cookies with the same name for parent domains
	if (strpos($currentCookieDomain, $host) > 0) {
	$cookie->delete($this->getSessionName(), null, $host);
	}
	}
	$_SESSION = array();
	}
	if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
	$checkId = Mage::helper('core')->getRandomString(16);
	$cookie->set($secureCookieName, $checkId, null, null, null, true);
	$_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId);
	}
	}
	with this:
	if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) {
	// secure cookie check to prevent MITM attack
	$secureCookieName = $sessionName . '_cid';
	if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
	if ($_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName))) {
	session_regenerate_id(false);
	$sessionHosts = $this->getSessionHosts();
	$currentCookieDomain = $cookie->getDomain();
	foreach (array_keys($sessionHosts) as $host) {
	// Delete cookies with the same name for parent domains
	if (strpos($currentCookieDomain, $host) > 0) {
	$cookie->delete($this->getSessionName(), null, $host);
	}
	}
	$_SESSION = array();
	} else {
	/**
	* Renew secure cookie expiration time if secure id did not change
	*/
	$cookie->renew($secureCookieName, null, null, null, true, null);
	}
	}
	if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
	$checkId = Mage::helper('core')->getRandomString(16);
	$cookie->set($secureCookieName, $checkId, null, null, null, true);
	$_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId);
	}
	}