How to turn on PHP's session.use_cookies on the admin panel's PHP version? You can set it in the master value in /usr/local/psa/admin/conf/php.ini but the local value is set to "Off" and i cannot find where it sets it to off (it is possible they do it in the code as well). Does anyone know?

Having it off violates PCI compliance

if having it turned on violates compliance, why would you want to turn it on?

Sorry the last statement should be "Having it off...". Having it off violates compliance as then it will use the query string which is even easier to hack. Having it turned on makes it a little more difficult and PCI compliance demands that is on.

Gotcha - thanks :)

I took a quick look at my setup:


grep 'use_cookies' /usr/local/psa/admin/conf/*

php.ini:session.use_cookies = 1
php.ini.def:session.use_cookies = 1


Is that what you have too ?

Yep. But if you put a phpinfo in the admin application you will see

Local Value as 'Off' and Master Value as 'On'

Meaning its being overridden somewhere else. Maybe in a apache conf file, .htaccess or the PHP code . There is an encoded .htaccess.swp file in the /usr/local/psa/admin/htdocs directory.